pnpm audit results in internal error?

[obones]

Hello,

I'm running this command:

pnpm audit --json --registry https://registry.npmjs.org/

and while it worked three days ago, with no changes to package.json, it now gives me this:

{
  "error": {
    "code": "ERR_PNPM_AUDIT_BAD_RESPONSE",
    "message": "The audit endpoint (at https://registry.npmjs.org/-/npm/v1/security/audits) responded with 500: {\"error\":\"Internal Server Error\"}"
  }
}

Now, I know this might well be an error at npmjs.org but their status page does not show anything.

Looking at the documentation for npm audit, I see that there are two endpoints bulk (with url /-/npm/v1/security/advisories/bulk) and quick (with url /-/npm/v1/security/audits/quick) but none of those two is used above, it's at least missing the /quick suffix.

What can I do to fix this situation?
I'm using pnpm 10.30.0 which I believe is the latest as of the time of writing this message.

Any help is greatly appreciated.

[wesleysmyth]

This is almost certainly an npm registry issue, not a pnpm bug. The audit endpoint (/-/npm/v1/security/advisories/bulk) occasionally returns malformed responses or 500s, especially during registry maintenance or high load.

Troubleshooting

1. Check if the npm registry audit endpoint is healthy:

curl -s -o /dev/null -w "%{http_code}" https://registry.npmjs.org/-/npm/v1/security/advisories/bulk -X POST -H "Content-Type: application/json" -d '{}'

If you get a 503 or 500, it's the registry.

2. Try with npm directly to confirm:

npm audit --json --registry https://registry.npmjs.org/

If npm also fails with a similar error, it's the registry.

3. Clear cache and retry:

pnpm store prune
pnpm audit --json --registry https://registry.npmjs.org/

4. Check your lockfile hasn't been corrupted:

pnpm install --frozen-lockfile
pnpm audit --json

Known causes

• Large dependency trees: If your project has thousands of packages, the audit bulk request payload can exceed what the registry API handles gracefully. This can be intermittent.
• Registry mirrors: If you're behind a corporate proxy or using a registry mirror (Artifactory, Verdaccio), the mirror may not proxy the audit endpoint correctly.
• Rate limiting: The npm audit endpoint has rate limits. Running it in CI frequently can trigger 429 responses that pnpm reports as ERR_PNPM_AUDIT_BAD_RESPONSE.

Workaround

If you need audit results now and the bulk endpoint is flaky:

# Use the advisory database directly
npx auditjs ossi
# or
npx better-npm-audit audit

If this started happening without any changes to your package.json, it's almost certainly a transient registry issue. Try again in a few hours — these typically resolve within a day.

[obones]

Well, I can hear that it is a registry issue, but pnpm is NOT using the /-/npm/v1/security/advisories/bulk entry at all.
I have a private registry that I can connect to and that's the error that I get:

 ERR_PNPM_AUDIT_BAD_RESPONSE  The audit endpoint (at https://repository.mycompany.com/npm/ExternalNPM/-/npm/v1/security/audits) responded with 501: {"error":"ENOAUDIT","reason":"Only the newer bulk audit endpoint is supported; the legacy (quick audit) format is not supported. "}

So, is there a way to tell pnpm to only use the newer bulk audit endpoint?
I looked in the source code and nowhere can I see the security/advisories/bulk url being used at all.

[anttis]

I filed an issue regarding this problem in #10649 (didn't realize to check out discussions beforehand).

Anyway, there's a small repro package.json included in the issue. And from what I gather:

• This is not related to a large dependency tree, this can be reproduced with a single dependency.
• Audit endpoint is healthy, the audit works OK in yarn v4 and npm. (Not actually sure if they use another endpoint but aanyway...)
• No proxies or registry mirrors involved - npm and yarn v4 work and also tested in a non-corpo network.
• Rate limiting is not the reason, the HTTP code is 500, not 429.

Soo, probably something changed in the npm registry's end, but I think some action is required from either npm or pnpm side 🤔 (yarn v1 audit gets an HTTP 500 also, but not sure if that's relevant since it has been frozen for years already).

[zkochan]

Fixed in 10.30.1