npm audit down?

[lumadev]

Select Topic Area

Question

Body

Hi everyone,

I'm consistently getting a "500 Internal Server Error" when running pnpm audit and yarn audit in my projects.

I’ve checked the official npm status page and searched online, but I can't find any reports of an ongoing outage. Is anyone else experiencing this?

[jpSimkins]

It seems so. I am having 500 errors on all my GitHub actions and local environments. I noticed this for about 4 hours now. Was coming here to post this but saw your ticket

[bari199]

According to npm docs, audit commands send your dependency tree to the registry to retrieve vulnerability reports, so failures often happen when the registry endpoint is unstable or returning errors.
You can try a few quick checks to rule out local causes:
Verify your registry:
npm config get registry (should typically be https://registry.npmjs.org/)
Clear cache:
npm cache clean --force
Retry with ignore flag (pnpm):
pnpm audit --ignore-registry-errors
Check if you’re behind a proxy/VPN or corporate network
Try again after some time — transient 500 errors are often temporary
If others aren’t reporting it widely, it could also be related to network routing, DNS, or a custom/private registry configuration.

[jpSimkins]

I appreciate the details.

Considering that the entire development team (spread across many states, remote dev teams) and our GitHub Actions workflows are all affected, Occam’s razor would suggest this is likely an upstream issue rather than an isolated one.

With that said, it's worth a shot:

Initial audit:

$ pnpm audit
 WARN  post https://registry.npmjs.org/-/npm/v1/security/audits error (500). Will retry in 10 seconds. 2 retries left.
 WARN  post https://registry.npmjs.org/-/npm/v1/security/audits error (500). Will retry in 1 minute. 1 retries left.
 ERR_PNPM_AUDIT_BAD_RESPONSE  The audit endpoint (at https://registry.npmjs.org/-/npm/v1/security/audits) responded with 500: {"error":"Internal Server Error"}

Validation and Cache Clearing:

$ npm config get registry
https://registry.npmjs.org/

$ npm cache clean --force
npm warn using --force Recommended protections disabled.

Audit while ignoring registry errors:

$ pnpm audit --ignore-registry-errors
 WARN  post https://registry.npmjs.org/-/npm/v1/security/audits error (500). Will retry in 10 seconds. 2 retries left.
 WARN  post https://registry.npmjs.org/-/npm/v1/security/audits error (500). Will retry in 1 minute. 1 retries left.
The audit endpoint (at https://registry.npmjs.org/-/npm/v1/security/audits) responded with 500: {"error":"Internal Server Error"}

 No proxy issues or anything. I did attempt to use a VPN to CA since I am in FL. Same issue. At this point, it seems to be an upstream issue. Not sure how many people will complain about it.
 

[eugenefm]

Down for me too

[jpSimkins]

Actually, it is NOT fully down. While I can get it to work with a minimal package.json:

{
  "name": "tmp",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "devDependencies": {
    "typescript": "5.9.3"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "packageManager": "pnpm@10.30.0"
}

As soon as I add any packages like eslint, jest, or typedoc it errors out.

[trystian1]

Down for us as well, any news on this ?

[jpSimkins]

I think the issue may be due to minimatch and we will need to wait for a patch. (not absolute and could be completely wrong)

A simple test:

{
  "name": "tmp",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "devDependencies": {
    "minimatch": "^9.0.5"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "packageManager": "pnpm@10.30.0"
}

and we have the audit failure.

If you view it:

$ npm view minimatch

minimatch@10.2.2 | BlueOak-1.0.0 | deps: 1 | versions: 119
a glob matcher in javascript
https://github.com/isaacs/minimatch#readme

dist
.tarball: https://registry.npmjs.org/minimatch/-/minimatch-10.2.2.tgz
.shasum: 361603ee323cfb83496fea2ae17cc44ea4e1f99f
.integrity: sha512-+G4CpNBxa5MprY+04MbgOw1v7So6n5JY166pFi9KfYwT78fxScCeSNQSNzp6dpPSW2rONOps6Ocam1wFhCgoVw==
.unpackedSize: 460.2 kB

dependencies:
brace-expansion: ^5.0.2 

maintainers:
- isaacs <removed>

dist-tags:
latest: 10.2.2     legacy-v7: 7.4.6   legacy-v4: 4.2.3   legacy-v5: 5.1.6   v3.0-legacy: 3.0.8 v3-legacy: 3.1.2   

published 5 hours ago by isaacs <removed>

the only dependency is brace-expansion which works fine with the audit.

So this leads me to believe it is an issue with minimatch.

They even state:

This is the matching library used internally by npm.

Other packages I use seem to use this package as a dependency directly or as a dependency of a dependency.

If I remove all packages that use this, audit works for me.

While not the best way to identify the issue, and perhaps even completely wrong, this is my assessment for my repos.

They do seem to have a vulnerability (ReDoS risk) that I have seen 2 PRs for.

While I am not 100% sure if that is the cause for everyone's issue with audit not working, this does appear to be the issue for me.

Since nx and eslint both use this, when you try to audit with either of these, then you get the 500 error.

[lumadev]

Thanks for the detailed feedback @jpSimkins. It really was related to some specific dependencies. I ran some tests yesterday and it seemed to be linked to my devDependencies, though I couldn't identify exactly which ones.

We tested it today and it’s back up and running!

[Vaibhav-S-Gowda]

If npm audit or pnpm audit returns:

500 Internal Server Error

The registry is not down.
The audit API is likely crashing while processing specific versions of minimatch (e.g., 9.0.5, 10.2.2).

---

Evidence

Minimal reproduction:

{
  "name": "audit-test",
  "devDependencies": {
    "minimatch": "^9.0.5"
  }
}

Running:

pnpm audit

Returns 500.

Removing minimatch → audit succeeds.

---

Why This Happens

• Recent minimatch release
• ReDoS vulnerability discussions
• Audit server likely hitting timeout or unhandled exception while scanning its dependency graph
• minimatch is widely used (ESLint, Nx, npm), so many projects are indirectly affected

---

How to Confirm

grep minimatch pnpm-lock.yaml
# or
grep minimatch yarn.lock

If you see 9.x or 10.x, this is likely the trigger.

---

Workaround

Recommended: Wait for Patch

Since this affects a core ecosystem dependency, a fix is likely being prioritized.

Optional: Pin Stable Version

pnpm

{
  "pnpm": {
    "overrides": {
      "minimatch": "7.4.6"
    }
  }
}

Yarn

{
  "resolutions": {
    "minimatch": "7.4.6"
  }
}

Reinstall dependencies after pinning.

---

Bottom Line

This is not a local issue or full registry outage.
The npm audit API is likely failing while processing certain minimatch versions.