Skip to content

[BUG] NPM Audit Down #9004

@hackerman-jpeg

Description

@hackerman-jpeg

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

The npm security audit endpoint (https://registry.npmjs.org/-/npm/v1/security/audits) is returning persistent HTTP 500 Internal Server Error responses. This blocks all npm audit and pnpm audit operations across projects.

Expected Behavior

The audit endpoint should return a JSON response with advisory data (or an empty advisories object if no vulnerabilities are found).
Actual Behavior

The endpoint returns:

HTTP/1.1 500 Internal Server Error
{"error":"Internal Server Error"}

pnpm retries with backoff and then fails:

WARN post https://registry.npmjs.org/-/npm/v1/security/audits error (500). Will retry in 10 seconds. 2 retries left.
WARN post https://registry.npmjs.org/-/npm/v1/security/audits error (500). Will retry in 1 minute. 1 retries left.
ERR_PNPM_AUDIT_BAD_RESPONSE The audit endpoint (at https://registry.npmjs.org/-/npm/v1/security/audits) responded with 500: {"error":"Internal Server Error"}

Steps To Reproduce

Using pnpm (same endpoint as npm audit)

pnpm audit

Or with npm directly

npm audit

Or raw curl to the endpoint

curl -X POST https://registry.npmjs.org/-/npm/v1/security/audits
-H "Content-Type: application/json"
-d '{"name":"test","version":"1.0.0","requires":{},"dependencies":{}}'
-v

Environment

  • Date/Time: 2026-02-19 ~23:50 UTC onwards (sustained, not transient)
    • pnpm version: 9.0.0
    • Node version: v20.x
    • OS: macOS Darwin 25.3.0 (arm64)
    • Registry: https://registry.npmjs.org/ (default, no custom registry)
    • Network: Direct connection, no proxy. All other registry operations (install, outdated, publish) work fine — only the /security/audits POST endpoint is affected.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next steps

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions