1. Home
  2. Categories
  3. Support
  4. NPM Audit

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

NPM Audit

  • D

    Hi,

    In Proget 5.1.16 - the PG-1403 issue - Improve error message when running npm audit, has changed the message to show that ProGet does not support the NPM audit endpoint.

    Are there any plans to add this support to future versions?

    Thanks

    Dave

    1
  • apxltd
    inedo-engineer

    Unfortunately, npm audit is a totally undocumented endpoint and based on past experiences, npm's API frequently changes is nontrivial to reverse engineer. Moreover, npm, Inc does not permit or support third-party access to the API that's used by npm audit.

    When they change that underlying API (whether to enforce the no third-parties rule, or to do something from the client), ProGet will once again be broken (or worse, provide incomplete/incorrect results). At least now, you know that this is the only supported way to handle it...

    Do you have an npm enterprise license? This might be something to work with through their support channel.... they don't have a partner program at this time, so getting permission or insight into how we can access this API is difficult.

    0
  • apxltd
    inedo-engineer

    Just as an update, we will be doing this:

    https://inedo.myjetbrains.com/youtrack/issue/PG-1555

    "Proxy npm audit requests to npmjs.org (experimental)"

    1 D 1 Reply
  • D

    Hi,

    That's great.

    Thanks for your time. Much appreciated

    0
  • maxim_mazurok

    Would be great to have this option to use npm audit. ProGet is used in a corporate environment, where security is a pretty high priority, so not having npm audit working is kind of a deal-breaker, IMO.

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    @maxim_mazurok this has been implemented for a couple years now -- however it is still considered an "Experimental feature" because the npm audit API is undocumented and npm, Inc. does not support third-party implementations.

    Instead, ProGet will attempt to forward requests to the audit endpoint to npmjs.org or a connector. This may stop working if npmjs.org changes the API or blocks ProGet's requests. They've only changed APIs once, and we've promptly fixed it. In any case, you can configure the proxy URL in ProGet 5.3 by navigating to the Manage Feed page on your npm feed.

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation