How to configure Nexus Repository Manager to support npm audit

Question

When I try to execute npm audit in my (Angular 7) app, I get the following npm error:

npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (https://nexus.xxx.com/repository/yyy/) does not support audit requests, or the audit endpoint is temporarily unavailable.

Does anyone know how I can get Nexus to support npm audit?

Answer 1

The solution with npm audit --registry=https://registry.npmjs.org only works if your npm client has internet access to registry.npmjs.org.

If this is not the case and you don't want to pay for Nexus Firewall or Nexus Lifecycle, you can set up another proxy that redirects all calls to https://nexus.xxx.com/repository/yyy/-/npm/v1/security/audits and all of its subpaths to https://registry.npmjs.org/-/npm/v1/security/audits.

Something like https://github.com/chovyy/npm-audit-proxy might be helpful.

Answer 2

Oh, it seems, I cannot:

https://issues.sonatype.org/browse/NEXUS-16954

"We are currently investigating the best way to implement NPM Audit and it is a priority for us, watch this space." (as of July 2019)

Answer 3

As noted in the linked JIRA (NEXUS-16954), it should be possible to workaround NXRM by using npm audit --registry=https://registry.npmjs.org.

UPDATE (May 11th 2020): As of NXRM version 3.23, npm audit should work with systems that have Sonatype Firewall or IQ server configured. The message returned should no longer error but explain this. A further JIRA ticket has been opened to track desire for this command to work without the workaround stated here but not implemented as of this update.