registry.npmjs.org audit endpoint returns 500 for a payload containing axios

[genesis-gh-ikriv]

Select Topic Area

Bug

Body

I am seeing consistent 500 Internal Server Error responses from the npm security audit endpoint.
POST https://registry.npmjs.org/-/npm/v1/security/audits

This reproduces with a minimal package tree containing only axios (no auth, no private registry):

Request:

curl -sS -v \ 
-H "Content-Type: application/json" \  
-H "Accept: application/json" \  
--data-binary @- \  
"https://registry.npmjs.org/-/npm/v1/security/audits" <<'JSON'
{  
  "name": "genesis-dashboard-new",  
  "version": "0.0.0",  
  "install": ["axios@1.13.2"],  
  "remove": [],  
  "metadata": {},  
   "requires": { "axios": "^1.12.0" },  
   "dependencies": {    
       "axios": { "version": "1.13.2", "requires": {}, "dependencies": {}, "dev": false }
  }
}JSON

Result:
HTTP status: 500
Response body: {"error":"Internal Server Error"}

Example response headers from a repro:

CF-Ray: 9d071f21aa490a0b-IAD
Timestamp: Thu, 19 Feb 2026 16:25:56 GMT

The same endpoint returns 200 for other minimal payloads (example: left-pad@1.3.0), so the service is up, but appears to error for specific package trees (this minimal case is axios).

This is impacting CI because yarn audit relies on this endpoint.
Thanks in advance!

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[LewisJEllis]

whatever in the world is going on here i would love to read the eventual post mortem / RCA on it :)

[dylan-chong]

me too. and why the npm status page is still green :/

[rlueder]

Update: Not axios-specific — the legacy /security/audits endpoint is broken for any package with active advisories.

I had Claude troubleshoot this systematically using curl against the two npm audit API endpoints.

Methodology

Minimal POST requests to https://registry.npmjs.org/-/npm/v1/security/audits with a single dependency per request:

curl -s -o /dev/null -w "%{http_code}" \
  -X POST https://registry.npmjs.org/-/npm/v1/security/audits \
  -H "Content-Type: application/json" \
  -d '{ "name": "test", "version": "1.0.0", "requires": { "<pkg>": "<ver>" }, "dependencies": { "<pkg>": { "version": "<ver>" } } }'

Results: /security/audits (legacy endpoint)

Package	Version	Has Advisories?	Status	Time
left-pad	1.3.0	No	200	0.2s
express	4.21.0	No	200	0.2s
axios	0.19.0 → 1.13.4	Yes	500	~15s
axios	1.13.5+	No (patched)	200	0.2s
lodash	4.17.20	Yes	500	~15s
lodash	4.17.21	Yes (still vuln)	500	~15s
jsonwebtoken	8.5.1	Yes	500	~15s
jsonwebtoken	9.0.0	No (patched)	200	0.2s
minimist	1.2.5	Yes	500	~15s
minimist	1.2.8	No (patched)	200	0.2s
tough-cookie	4.1.2	Yes	500	~15s
tough-cookie	4.1.3	No (patched)	200	0.2s

Results: Alternative endpoints (all working)

Endpoint	Package	Status
/security/audits/quick	axios@1.13.2	200
/security/advisories/bulk	axios@1.13.2	200
/security/advisories/bulk	multi-package payload	200

Pattern

The pattern is consistent: if the queried version has at least one active advisory, the legacy /security/audits endpoint returns 500 after a ~15 second timeout. If the version has zero advisories, it returns 200 immediately.

The newer endpoints (/audits/quick and /advisories/bulk) work fine — they use a different server-side code path and correctly return advisory data.

Impact

• pnpm audit — uses the legacy endpoint, affected
• npm audit (v7+) — uses the bulk endpoint, should be unaffected
• yarn audit — likely uses the legacy endpoint, likely affected
• Any project with any transitive dependency that has known vulnerabilities will fail — this is not package-specific

[hackerman-jpeg]

Yes, mine was just npm audit and pnpm audit not just axios.

[genesis-gh-ikriv]

Yes, yarn is affected.
We were using yarn audit indirectly via uv run audit-security

[hackerman-jpeg]

First time for this? Still down...yes, very fishy. Guess we'll watch the security news next week.

[rlueder]

CI Workaround for pnpm users

Since npm audit (v7+) uses the working /advisories/bulk endpoint, you can swap it into your CI pipeline even if you use pnpm as your package manager.

The trick is to generate a package-lock.json on the fly without actually installing anything:

steps:
  - uses: actions/checkout@v4
  - uses: actions/setup-node@v4
    with:
      node-version: "22"
  # Install with your preferred package manager as usual
  - run: corepack enable
  - run: pnpm install --frozen-lockfile
  # Generate a package-lock.json from the existing node_modules
  - name: Generate npm lockfile
    run: npm i --package-lock-only --ignore-scripts
  # Run audit via npm (uses the bulk endpoint that actually works)
  - name: Security audit
    run: npm audit --omit=dev --audit-level=high

Key points:

• npm i --package-lock-only --ignore-scripts creates a package-lock.json by resolving the dependency tree from node_modules — it does not install or modify anything
• npm audit --omit=dev is equivalent to pnpm audit --prod (skips devDependencies)
• This works regardless of whether your project uses pnpm, yarn, or npm for regular development
• The generated package-lock.json should be added to .gitignore if you are not an npm project

Tested and working as of today. Should be easy to revert once the legacy endpoint is fixed.

[dylan-chong]

i copy pasted the issue to the npm cli page, hopefully someone see's this soon 🤞
npm/cli#9003

[dylan-chong]

"All systems operational" according to npm :/ https://status.npmjs.org/.

[rlueder]

The npm audit command sends the dependency tree to the npm Registry Bulk Advisory (new) endpoint:

• Endpoint: POST https://registry.npmjs.org/-/npm/v1/security/advisories/bulk
• It sends a JSON payload of your installed package names + version ranges, and the registry responds with known vulnerabilities.
• This is the endpoint behind the "Security Audit" component on the status page.

There's also a quick-audit endpoint used during npm install:

• POST https://registry.npmjs.org/-/npm/v1/security/audits/quick

The broken endpoint is not tracked on the status page, that's why it's green.

[dilbagh]

It's been erroring for at least 8 hours now, my build pipeline was broken.

[rokatx]

yet npm's status page claims "All Systems Operational". #crazytown