yarnpkg/yarn

Yarn audit does not work with an external repository

adamscybot opened this issue ยท 9 comments

Do you want to request a feature or report a bug?
Bug

What is the current behavior?

When running yarn audit with the --registry flag, it uses the main yarn repo anyway.

If the current behavior is a bug, please provide the steps to reproduce.

Execute yarn audit --registry https://registry.npmjs.org/

What is the expected behavior?

Audit calls are made to the defined registry. This is especially important for everyone with third party repo's where the outside world it blocked on CI agents. Or if you're using some kind of proxy.

Please mention your node.js, yarn and operating system version.

Mac Os Mojave
Yarn 1.13.0
Node 10.15.1

What exactly is happening on LINE 217 ?

async _fetchAudit(auditTree: AuditTree): Object {
let responseJson;
const registry = YARN_REGISTRY;
this.reporter.verbose(`Audit Request: ${JSON.stringify(auditTree, null, 2)}`);
const requestBody = await gzip(JSON.stringify(auditTree));
const response = await this.config.requestManager.request({
url: `${registry}/-/npm/v1/security/audits`,
method: 'POST',
body: requestBody,
headers: {
'Content-Encoding': 'gzip',
'Content-Type': 'application/json',
Accept: 'application/json',
},
});

Do you have an endpoint configured that automatically calls npm's audit registry ?

@abhisheksoni27 on line 217 the YARN_REGISTRY constant is used, which corresponds to https://registry.yarnpkg.com

export const YARN_REGISTRY = 'https://registry.yarnpkg.com';

Hey, can I try to solve this bug?

Hi @pratyushj, the issue already has its PR #7263. Thanks!
In addition to that, it has a duplicate PR #6484

This is still open in 2022, any update on this?

any update? still seeing this in March 2022

Hi , Is this still open in 2022?

Still open in 2023.

Greetings from 2k24.