need assistance with npm audit not working when on corporate network

[brendonte]

Currently running Verdaccio 5.7.1

On my personal computer with open internet, I can run npm install and npm audit with no issues.

I installed Verdaccio on AWS Linux behind our corporate firewall. Had to set environment variable "export NODE_EXTRA_CA_CERTS=/location/of/ca/cert" in order for me to be able to make "npm install --registry http://localhost:4873" to work.

Everything appears to be working except for when running "npm audit --registry http://localhost:4873"

I've tested with and without "strict_ssl: false" and still didn't work.

Directly from the AWS instance hosting Verdaccio, if I do a "npm cache clean --force" and remove package-lock.json and node_modules, I can run "npm audit --registry https://registry.nodejs.org" with no issues. So I know the firewall isn't blocking traffic. It's only when using Verdaccio from the same instance does it not work.

Is there something else I'm missing in the configuration file to make this work with corporate CA cert?

Config.yml

#
# This is the default config file. It allows all users to do anything,
# so don't use it on production systems.
#
# Look here for more config file examples:
# https://github.com/verdaccio/verdaccio/tree/master/conf
#

# path to a directory with all packages
storage: ./storage
# path to a directory with plugins to include
plugins: ./plugins

web:
  title: Verdaccio
  # comment out to disable gravatar support
  # gravatar: false
  # by default packages are ordercer ascendant (asc|desc)
  # sort_packages: asc
  # convert your UI to the dark side
  # darkMode: true
  # logo: http://somedomain/somelogo.png
  # favicon: http://somedomain/favicon.ico | /path/favicon.ico
  # rateLimit:
  #   windowMs: 1000
  #   max: 10000

# translate your registry, api i18n not available yet
# i18n:
# list of the available translations https://github.com/verdaccio/ui/tree/master/i18n/translations
#   web: en-US

auth:
  htpasswd:
    file: ./htpasswd
    # Maximum amount of users allowed to register, defaults to "+inf".
    # You can set this to -1 to disable registration.
    # max_users: 1000

# a list of other known repositories we can talk to
uplinks:
  npmjs:
    url: https://registry.npmjs.org/

packages:
  '@*/*':
    # scoped packages
    access: $all
    publish: $authenticated
    unpublish: $authenticated
    proxy: npmjs

  '**':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
    #
    # you can specify usernames/groupnames (depending on your auth plugin)
    # and three keywords: "$all", "$anonymous", "$authenticated"
    access: $all

    # allow all known users to publish/publish packages
    # (anyone can register by default, remember?)
    publish: $authenticated
    unpublish: $authenticated

    # if package is not available locally, proxy requests to 'npmjs' registry
    proxy: npmjs

# You can specify HTTP/1.1 server keep alive timeout in seconds for incoming connections.
# A value of 0 makes the http server behave similarly to Node.js versions prior to 8.0.0, which did not have a keep-alive timeout.
# WORKAROUND: Through given configuration you can workaround following issue https://github.com/verdaccio/verdaccio/issues/301. Set to 0 in case 60 is not enough.
server:
  keepAliveTimeout: 60

middlewares:
  audit:
    enabled: true
    strict_ssl: false

# log settings
logs: { type: stdout, format: pretty, level: http }
#experiments:
#  # support for npm token command
#  token: false
#  # disable writing body size to logs, read more on ticket 1912
#  bytesin_off: false
#  # enable tarball URL redirect for hosting tarball with a different server, the tarball_url_redirect can be a template string
#  tarball_url_redirect: 'https://mycdn.com/verdaccio/${packageName}/${filename}'
#  # the tarball_url_redirect can be a function, takes packageName and filename and returns the url, when working with a js configuration file
#  tarball_url_redirect(packageName, filename) {
#    const signedUrl = // generate a signed url
#    return signedUrl;
#  }

# This affect the web and api (not developed yet)
#i18n:
#web: en-US

Output from cmd when running npm audit

[ec2-user]$ npm audit --registry http://localhost:4873
npm WARN audit 500 Internal Server Error - POST http://localhost:4873/-/npm/v1/security/audits/quick

npm ERR! audit endpoint returned an error

logfile from /home/ec2-user/.npm/_logs/

0 verbose cli [
0 verbose cli   '/home/ec2-user/.nvm/versions/node/v17.6.0/bin/node',
0 verbose cli   '/home/ec2-user/.nvm/versions/node/v17.6.0/bin/npm',
0 verbose cli   'audit',
0 verbose cli   '--registry',
0 verbose cli   'http://localhost:4873',
0 verbose cli   '--verbose'
0 verbose cli ]
1 info using npm@8.5.1
2 info using node@v17.6.0
3 timing npm:load:whichnode Completed in 1ms
4 timing config:load:defaults Completed in 1ms
5 timing config:load:file:/home/ec2-user/.nvm/versions/node/v17.6.0/lib/node_modules/npm/npmrc Completed in 1ms
6 timing config:load:builtin Completed in 1ms
7 timing config:load:cli Completed in 3ms
8 timing config:load:env Completed in 0ms
9 timing config:load:file:/home/ec2-user/repos/abms-fe/.npmrc Completed in 2ms
10 timing config:load:project Completed in 20ms
11 timing config:load:file:/home/ec2-user/.npmrc Completed in 2ms
12 timing config:load:user Completed in 2ms
13 timing config:load:file:/home/ec2-user/.nvm/versions/node/v17.6.0/etc/npmrc Completed in 1ms
14 timing config:load:global Completed in 1ms
15 timing config:load:validate Completed in 1ms
16 timing config:load:credentials Completed in 1ms
17 timing config:load:setEnvs Completed in 1ms
18 timing config:load Completed in 31ms
19 timing npm:load:configload Completed in 31ms
20 timing npm:load:setTitle Completed in 0ms
21 timing config:load:flatten Completed in 2ms
22 timing npm:load:display Completed in 9ms
23 verbose logfile /home/ec2-user/.npm/_logs/2022-03-12T21_32_05_210Z-debug-0.log
24 timing npm:load:logFile Completed in 4ms
25 timing npm:load:timers Completed in 0ms
26 timing npm:load:configScope Completed in 0ms
27 timing npm:load Completed in 46ms
28 timing arborist:ctor Completed in 0ms
29 silly logfile start cleaning logs, removing 1 files
30 silly audit bulk request {
...
...
30 silly audit }
31 http fetch POST 500 http://localhost:4873/-/npm/v1/security/advisories/bulk 467ms
32 silly audit bulk request failed
33 http fetch POST 500 http://localhost:4873/-/npm/v1/security/audits/quick 424ms
34 verbose audit error HttpErrorGeneral: 500 Internal Server Error - POST http://localhost:4873/-/npm/v1/security/audits/quick
34 verbose audit error     at /home/ec2-user/.nvm/versions/node/v17.6.0/lib/node_modules/npm/node_modules/npm-registry-fetch/lib/check-response.js:103:15
34 verbose audit error     at processTicksAndRejections (node:internal/process/task_queues:96:5)
34 verbose audit error     at async Map.[getReport] (/home/ec2-user/.nvm/versions/node/v17.6.0/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:337:21)
34 verbose audit error     at async Map.run (/home/ec2-user/.nvm/versions/node/v17.6.0/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:107:19)
34 verbose audit error     at async Arborist.audit (/home/ec2-user/.nvm/versions/node/v17.6.0/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/audit.js:37:24)
34 verbose audit error     at async Audit.exec (/home/ec2-user/.nvm/versions/node/v17.6.0/lib/node_modules/npm/lib/commands/audit.js:49:5)
34 verbose audit error     at async module.exports (/home/ec2-user/.nvm/versions/node/v17.6.0/lib/node_modules/npm/lib/cli.js:66:5) {
34 verbose audit error   headers: [Object: null prototype] {
34 verbose audit error     'access-control-allow-origin': [ '*' ],
34 verbose audit error     date: [ 'Sat, 12 Mar 2022 21:32:08 GMT' ],
34 verbose audit error     connection: [ 'keep-alive' ],
34 verbose audit error     'keep-alive': [ 'timeout=60' ],
34 verbose audit error     'transfer-encoding': [ 'chunked' ],
34 verbose audit error     'x-fetch-attempts': [ '1' ]
34 verbose audit error   },
34 verbose audit error   statusCode: 500,
34 verbose audit error   code: 'E500',
34 verbose audit error   method: 'POST',
34 verbose audit error   uri: 'http://localhost:4873/-/npm/v1/security/audits/quick',
34 verbose audit error   body: <Buffer >,
34 verbose audit error   pkgid: undefined
34 verbose audit error }
35 silly audit error
36 timing auditReport:getReport Completed in 1101ms
37 silly audit report null
38 timing audit Completed in 2336ms
39 warn audit 500 Internal Server Error - POST http://localhost:4873/-/npm/v1/security/audits/quick
40 timing command:audit Completed in 2339ms
41 error audit endpoint returned an error
42 verbose exit 1
43 timing npm Completed in 2827ms
44 verbose code 1

[brendonte]

So I noticed this when running "npm install"

npm verb reify failed optional dependency /home/ec2-user/repos/abms-fe/node_modules/fsevents
npm timing reifyNode:node_modules/fsevents Completed in 415ms
npm http fetch POST 500 http://localhost:4873/-/npm/v1/security/advisories/bulk 2729ms
npm http fetch POST 500 http://localhost:4873/-/npm/v1/security/audits/quick 4137ms
npm verb audit error HttpErrorGeneral: 500 Internal Server Error - POST http://localhost:4873/-/npm/v1/security/audits/quick
npm verb audit error     at /home/ec2-user/.nvm/versions/node/v17.6.0/lib/node_modules/npm/node_modules/npm-registry-fetch/lib/check-response.js:103:15
npm verb audit error     at processTicksAndRejections (node:internal/process/task_queues:96:5)
npm verb audit error     at async Map.[getReport] (/home/ec2-user/.nvm/versions/node/v17.6.0/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:337:21)
npm verb audit error     at async Map.run (/home/ec2-user/.nvm/versions/node/v17.6.0/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:107:19)
npm verb audit error  HttpErrorGeneral: 500 Internal Server Error - POST http://localhost:4873/-/npm/v1/security/audits/quick
npm verb audit error     at /home/ec2-user/.nvm/versions/node/v17.6.0/lib/node_modules/npm/node_modules/npm-registry-fetch/lib/check-response.js:103:15
npm verb audit error     at processTicksAndRejections (node:internal/process/task_queues:96:5)
npm verb audit error     at async Map.[getReport] (/home/ec2-user/.nvm/versions/node/v17.6.0/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:337:21)
npm verb audit error     at async Map.run (/home/ec2-user/.nvm/versions/node/v17.6.0/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:107:19) {
npm verb audit error   headers: [Object: null prototype] {
npm verb audit error     'access-control-allow-origin': [ '*' ],
npm verb audit error     date: [ 'Tue, 15 Mar 2022 16:57:35 GMT' ],
npm verb audit error     connection: [ 'keep-alive' ],
npm verb audit error     'transfer-encoding': [ 'chunked' ],
npm verb audit error     'x-fetch-attempts': [ '1' ]
npm verb audit error   },
npm verb audit error   statusCode: 500,
npm verb audit error   code: 'E500',
npm verb audit error   method: 'POST',
npm verb audit error   uri: 'http://localhost:4873/-/npm/v1/security/audits/quick',
npm verb audit error   body: <Buffer >,
npm verb audit error   pkgid: undefined
npm verb audit error }

[luban-130]

我也存在这种问题，npm http fetch POST 500 http://localhost:4873/-/npm/v1/security/advisories/bulk 2729ms
npm http fetch POST 500 http://localhost:4873/-/npm/v1/security/audits/quick 4137ms 这两步耗时特别长，期待有解决方案

[juanpicado]

You might need to go through a proxy https://verdaccio.org/docs/configuration#http_proxy-and-https_proxy very common in corporations, please check internally if that's the case and use the configuration I just shared.

[luban-130]

You might need to go through a proxy https://verdaccio.org/docs/configuration#http_proxy-and-https_proxy very common in corporations, please check internally if that's the case and use the configuration I just shared.您可能需要通过代理 https://verdaccio.org/docs/configuration#http_proxy-and-https_proxy 在公司中很常见，请在内部检查是否是这种情况，并使用我刚刚分享的配置。

请问https_proxy对应的地址应该写什么，有固定地址嘛，还是需要外网付费代理

[luban-130]

You might need to go through a proxy https://verdaccio.org/docs/configuration#http_proxy-and-https_proxy very common in corporations, please check internally if that's the case and use the configuration I just shared.

https_proxy: https://registry.npmjs.org/ 已经在配置文件中添加了https_proxy，但是npm install过程中audit地址请求的仍然是本地仓库npm verb audit error FetchError: network timeout at: http://localhost:4873/-/npm/v1/security/audits/quick

[juanpicado]

After seeing your example I think you misunderstand what ishttps_proxy for. Please give a read https://www.jhipster.tech/configuring-a-corporate-proxy/ about proxy corporations what exactly are and also ask internally in your company about it.