[BUG] NPM Audit Down

[hackerman-jpeg]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

The npm security audit endpoint (https://registry.npmjs.org/-/npm/v1/security/audits) is returning persistent HTTP 500 Internal Server Error responses. This blocks all npm audit and pnpm audit operations across projects.

Expected Behavior

The audit endpoint should return a JSON response with advisory data (or an empty advisories object if no vulnerabilities are found).
Actual Behavior

The endpoint returns:

HTTP/1.1 500 Internal Server Error
{"error":"Internal Server Error"}

pnpm retries with backoff and then fails:

WARN post https://registry.npmjs.org/-/npm/v1/security/audits error (500). Will retry in 10 seconds. 2 retries left.
WARN post https://registry.npmjs.org/-/npm/v1/security/audits error (500). Will retry in 1 minute. 1 retries left.
ERR_PNPM_AUDIT_BAD_RESPONSE The audit endpoint (at https://registry.npmjs.org/-/npm/v1/security/audits) responded with 500: {"error":"Internal Server Error"}

Steps To Reproduce

Using pnpm (same endpoint as npm audit)

pnpm audit

Or with npm directly

npm audit

Or raw curl to the endpoint

curl -X POST https://registry.npmjs.org/-/npm/v1/security/audits
-H "Content-Type: application/json"
-d '{"name":"test","version":"1.0.0","requires":{},"dependencies":{}}'
-v

Environment

• Date/Time: 2026-02-19 ~23:50 UTC onwards (sustained, not transient)
  • pnpm version: 9.0.0
  • Node version: v20.x
  • OS: macOS Darwin 25.3.0 (arm64)
  • Registry: https://registry.npmjs.org/ (default, no custom registry)
  • Network: Direct connection, no proxy. All other registry operations (install, outdated, publish) work fine — only the /security/audits POST endpoint is affected.

[useafterfree]

the raw curl works for me, but pnpm audit does not

[chadlwilson]

Seems related to the v1 API. Seems PNPM made a change to prefer the newer API based on pnpm/pnpm#10649

Is npm audit really broken? Or just on very old versions using the v1 API? (npm audit seems fine with 11.8.0 at least, so I suspect any issues with the CLI are limited to old npm versions that used the v1 API)

[pvds]

Tested at 2026-02-20 08:02:49Z with Node 24, NPM 11.6.4 and PNPM 10.29.2 both npm audit and pnpm audit work fine.

[jamgregory]

It may have been related to Cloudflare maintenance yesterday (npm didn't appear to report it for some reason) as it also impacted Yarn audits: yarnpkg/yarn#9220

[chadlwilson]

@jamgregory Do you have any evidence of that, or it's just speculation? I don't see why there is any reason to believe it's to do with some specific cloudflare maintenance - which part of NPM's infrastructure depends on Cloudflare internally such that it would cause internal server errors?

IIRC Yarn v1 depends on the NPM v1 (non quick) audit (as do earlier npm versions and pnpm before their change today) - so if the v1 non-quick audit API was having issues for whatever reason it might be expected to affect Yarn v1.

[jamgregory]

@jamgregory Do you have any evidence of that, or it's just speculation?

It's speculation, based on the fact that Yarn mentions the npm registry being hosted on Cloudflare and that Cloudflare was performing maintenance yesterday. Additionally, we started seeing issues at around 1400 UTC and I can see people in other issues reporting the issue as resolved after 2359 UTC.

[chadlwilson]

Ok. I'm not sure this speculation helps or makes sense, since that FAQ is referring primarily to caching reverse proxy/CDNs infra rather than where the backends sit, and reverse proxy problems typically do not manifest as 500s (generally you'd get 503/503/504 from a reverse proxy).

Besides, Cloudflare do maintenance all the time so picking some maintenance in Portland seems a bit arbitrary for a problem observed globally without any other wider reported Cloudflare issue.