Cannot run audit

[micahalcorn]

I'm opening this issue because:

• npm is crashing.
• npm is producing an incorrect install.
• npm is doing something I don't understand.
• npm is producing incorrect or undesirable behavior.
• Other (see below for feature requests):

What's going wrong?

npm audit results in a 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits

How can the CLI team reproduce the problem?

Run npm audit with n managing node installations

0 info it worked if it ends with ok
1 verbose cli [ '/usr/local/bin/node', '/usr/local/bin/npm', 'audit' ]
2 info using npm@6.0.1
3 info using node@v10.0.0
4 verbose npm-session d540b974d0d3057d
5 timing audit compress Completed in 21ms
6 info audit Submitting payload of 110438 bytes
7 http fetch POST 400 https://registry.npmjs.org/-/npm/v1/security/audits 681ms
8 verbose stack Error: 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits
8 verbose stack     at res.buffer.catch.then.body (/usr/local/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:94:15)
8 verbose stack     at process._tickCallback (internal/process/next_tick.js:178:7)
9 verbose statusCode 400
10 verbose cwd /Users/kgb/Dropbox/Origin/demo-dapp
11 verbose Darwin 16.1.0
12 verbose argv "/usr/local/bin/node" "/usr/local/bin/npm" "audit"
13 verbose node v10.0.0
14 verbose npm  v6.0.1
15 error code E400
16 error 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits
17 verbose exit [ 1, true ]

supporting information:

• npm -v prints: 6.0.1
• node -v prints: v10.0.0 (same result with v8.5.0)
• npm config get registry prints: https://registry.npmjs.org/
• Windows, OS X/macOS, or Linux?: macOS Sierra Version 10.12.1
• Network issues:
  • Geographic location where npm was run: Oklahoma, United States?
  • I use a proxy to connect to the npm registry.
  • I use a proxy to connect to the web.
  • I use a proxy when downloading Git repos.
  • I access the npm registry via a VPN
  • I don't use a proxy, but have limited or unreliable internet access.
• Container:
  • I develop using Vagrant on Windows.
  • I develop using Vagrant on OS X or Linux.
  • I develop / deploy using Docker.
  • I deploy to a PaaS (Triton, Heroku).

[XinfinityoO]

facing similar issue, npm is 6.0.1 and node is 8.11.1

[ihutc]

I have the same problem with npm audit if my dependencies include a reference to a tarball, for example with the following in package.json

    "node-sass": "https://github.com/sass/node-sass/tarball/v5",

yields the following

0 info it worked if it ends with ok
1 verbose cli [ '/usr/local/bin/node', '/usr/local/bin/npm', 'audit' ]
2 info using npm@6.0.1
3 info using node@v8.9.4
4 verbose npm-session 3db686a5bad6017f
5 timing audit compress Completed in 7ms
6 info audit Submitting payload of 40362 bytes
7 http fetch POST 400 https://registry.npmjs.org/-/npm/v1/security/audits 1139ms
8 verbose stack Error: 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits
8 verbose stack     at res.buffer.catch.then.body (/usr/local/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:94:15)
8 verbose stack     at <anonymous>
8 verbose stack     at process._tickCallback (internal/process/next_tick.js:188:7)
9 verbose statusCode 400
10 verbose cwd /Users/ihutc/Repos/ihutc-tweet-delete
11 verbose Darwin 17.5.0
12 verbose argv "/usr/local/bin/node" "/usr/local/bin/npm" "audit"
13 verbose node v8.9.4
14 verbose npm  v6.0.1
15 error code E400
16 error 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits
17 verbose exit [ 1, true ]

Otherwise with a package reference like

    "node-sass": "^4.9.0",

then npm audit works as expected.

I'm using Node 8.9.4 and NPM 6.0.1

[sanxing-chen]

Face the same problem

0 info it worked if it ends with ok
1 verbose cli [ 'C:\\Program Files\\nodejs\\node.exe',
1 verbose cli   'C:\\Users\\hhhh\\AppData\\Roaming\\npm\\node_modules\\npm\\bin\\npm-cli.js',
1 verbose cli   'audit' ]
2 info using npm@6.0.1
3 info using node@v8.9.4
4 verbose npm-session ba8cfa9f640250b8
5 timing audit compress Completed in 11ms
6 info audit Submitting payload of 42855 bytes
7 http fetch POST 400 https://registry.npmjs.org/-/npm/v1/security/audits 983ms
8 verbose stack Error: 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits
8 verbose stack     at res.buffer.catch.then.body (C:\Users\hhhh\AppData\Roaming\npm\node_modules\npm\node_modules\npm-registry-fetch\check-response.js:94:15)
8 verbose stack     at <anonymous>
8 verbose stack     at process._tickCallback (internal/process/next_tick.js:188:7)
9 verbose statusCode 400
10 verbose cwd C:\Users\hhhh\source\repos\Recognizers-Text\JavaScript
11 verbose Windows_NT 10.0.16299
12 verbose argv "C:\\Program Files\\nodejs\\node.exe" "C:\\Users\\hhhh\\AppData\\Roaming\\npm\\node_modules\\npm\\bin\\npm-cli.js" "audit"
13 verbose node v8.9.4
14 verbose npm  v6.0.1
15 error code E400
16 error 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits
17 verbose exit [ 1, true ]

for my case

npm install --dev ava@0.25.0

causes this issue

[yadu-bolder]

Facing the same issue.

npm ERR! code E400
npm ERR! 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits

npm --version = 6.0.1
node --version = v8.9.4

[NejcZdovc]

+1 from me as well

[ujeshurun]

Need help resolving the same issue.

[antoniovj1]

Same here

info using npm@6.1.0
info using node@v8.9.4

[seishin4real]

same here

"node-sass": "^4.7.2"
npm@5.10.0
node@10.2.1

[vhanla]

Returns: GET method not allowed, even though is POST method (tested sending POST requests to that endpoint)

 http fetch POST 301 http://registry.npmjs.org/-/npm/v1/security/audits 218ms
 verbose stack SyntaxError: Unexpected end of JSON input while parsing near ''

[williamchong]

same on npm@6.1.0 node@9.11.1
is this project dependency related?

[matrunchyk]

npm -v
6.1.0

node -v
v8.11.1

[matrunchyk]

Solved with:

1. rm package-lock.json
2. npm i
3. npm audit fix

[quinnlangille]

Looks as if references to any package that isn't a version number breaks the audit. I had one package pointing to a local directory and audit would break, to fix I

1. removed that dependency manually from package.json
2. rm -rf node_modules
2. rm package-lock.json
3. npm i (npm audit ran automatically on install this time)
4. npm audit fix
5. manually re-add package and reinstall node modules

Definitely not ideal, any idea if this is a bug or expected behaviour?

[matrunchyk]

@quinnlangille thanks for the research. Btw there's a small typo:
npm audiit fix -> npm audit fix

[bantic]

I was getting the same error as @vhanla:

 http fetch POST 301 http://registry.npmjs.org/-/npm/v1/security/audits 218ms
 verbose stack SyntaxError: Unexpected end of JSON input while parsing near ''

This appears to be due to the fact that registry URL is http instead of https. That POST is returning a 301 redirect to the https url. I'm not sure why the redirect is not followed, but this seems to be the source of the problem. The JSON parsing error that is logged comes from when npm attempts to decode the JSON from the empty response body (via a call to body.json() here).

@vhanla I think your problem will be resolved if you use the https registry instead:

 npm config set registry https://registry.npmjs.org/

I also have the same problem @quinnlangille describes above, and removing the dependency that points to a local file also fixed the issue for me.

[XinfinityoO]

the above does not work for me. I think the issue is something else. My registry is pointing to the correct HTTPS link and I also don't have any local files dependencies in my package.json file

{ "name": "*****", "version": "2.2.2", "repository": "https://git-codecommit.us-east-1.amazonaws.com/*********i", "dependencies": { "async": "^2.6.1", "aws-sdk": "^2.248.1", "bluebird": "", "node-fetch": "^2.1.2", "serverless-mocha-plugin": "^1.8.3", "serverless-plugin-stage-variables": "1.7.8" }, "devDependencies": {}, "license": "UNLICENSED", "private": true }

and i still get errors

[wearhere]

Similar to what @quinnlangille reports, a package installed from GitHub was breaking it for me. This works around it #20604 (comment)

[paranoico]

Why is this issue closed if it still is unresolved???

[quinnlangille]

@XinfinityoO if you remove the empty string from bluebird then delete your node_modules and package-lock.json, does the audit work? From what I've experienced on a few different repos, I think it needs to see a version number

[quinnlangille]

@paranoico this issue isn't closed. Post #20661 was closed, which is what the closed sign above is indicating

[francisrod01]

I'm thinking... Remove the package-lock.json and run npm i again is check two way the packages?

[tutuca]

Workaround doesn't work for me:

➜ less /home/tutuca/.npm/_logs/2018-06-19T01_22_38_059Z-debug.log
0 info it worked if it ends with ok
1 verbose cli [ '/home/tutuca/.venvs/potaje/bin/node',
1 verbose cli   '/home/tutuca/.venvs/potaje/bin/npm',
1 verbose cli   'audit' ]
2 info using npm@6.1.0
3 info using node@v10.4.1
4 verbose npm-session 7db8e1f7f26d798e
5 timing audit compress Completed in 8ms
6 info audit Submitting payload of 43919 bytes
7 http fetch POST 400 https://registry.npmjs.org/-/npm/v1/security/audits 1546ms
8 verbose stack Error: 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits
8 verbose stack     at res.buffer.catch.then.body (/home/tutuca/.venvs/potaje/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:94:15)
8 verbose stack     at process._tickCallback (internal/process/next_tick.js:68:7)
9 verbose statusCode 400
10 verbose cwd /home/tutuca/Proyectos/potaje
11 verbose Linux 4.15.0-23-generic
12 verbose argv "/home/tutuca/.venvs/potaje/bin/node" "/home/tutuca/.venvs/potaje/bin/npm" "audit"
13 verbose node v10.4.1
14 verbose npm  v6.1.0
15 error code E400
16 error 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits
17 verbose exit [ 1, true ]

[codevbus]

👍

[itsmepetrov]

I have the same issue if my package.json includes samlp@3.4.0 module.

npm --version = 6.0.1
node --version = v8.9.4

I think it's because samlp contains this dependency:

"xmldom": "auth0/xmldom#v0.1.19-auth0_1"

[Paqrat76]

Same issue:
node --version -> 8.11.3
npm --version -> 6.1.0
npm install -> up to date in 3.959s
All dependencies/devDependencies have version numbers in package.json.
Deleted node_modules and package-lock.json and re-ran npm install.

npm ERR! 400 Bad Request - POST https://artifactory.aws.xxx.com:443/api/npm/npm/-/npm/v1/security/audits

From npm config list: registry = "https://artifactory.aws.xxx.com:443/api/npm/npm/"

Putting https://artifactory.aws.xxx.com:443/api/npm/npm/-/npm/v1/security/audits into browser results in the following:

{
  "errors" : [ {
    "status" : 404,
    "message" : "Not Found"
  } ]
}

while putting https://registry.npmjs.org/-/npm/v1/security/audits into browser results in the following:
{"code":"MethodNotAllowedError","message":"GET is not allowed"}.

Does something need to be done on the repository to make npm audit work? We are using jFrog Artifactory Enterprise v5.4.6.

[DanielRuf]

Does something need to be done on the repository to make npm audit work? We are using jFrog Artifactory Enterprise v5.4.6.

Ah so you use your own private registry / proxy?

[Paqrat76]

@DanielRuf Yes... we access the npm repo via a proxy. Just found this (https://www.jfrog.com/jira/browse/RTFACT-16670), so it is definitely a jFrog Artifactory issue.

[wearhere]

This issue happens for me without using a private registry / proxy though.

[adeguntoro]

So, is this issue because our internet connection or something else ?
because I have same issue in here.