`yarn audit` failing due to 410 error

[jamgregory]

I imagine this won't be fixed (unfortunately), but it looks like npm has silently deprecated the security audit API that Yarn 1 uses:

yarn audit v1.22.22
error Error: https://registry.yarnpkg.com/-/npm/v1/security/audits: Request "https://registry.yarnpkg.com/-/npm/v1/security/audits" returned a 410
    at params.callback [as _callback] (/usr/share/yarn/lib/cli.js:66689:18)
    at self.callback (/usr/share/yarn/lib/cli.js:141410:22)
    at Request.emit (node:events:517:28)
    at Request.<anonymous> (/usr/share/yarn/lib/cli.js:142382:10)
    at Request.emit (node:events:517:28)
    at IncomingMessage.<anonymous> (/usr/share/yarn/lib/cli.js:142304:12)
    at Object.onceWrapper (node:events:631:28)
    at IncomingMessage.emit (node:events:529:35)
    at endReadableNT (node:internal/streams/readable:1400:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
info Visit https://yarnpkg.com/en/docs/cli/audit for documentation about this command.

Unless a third-party package can work around this, I expect it'll no longer be possible to audit Yarn 1 packages for security issues.

[apreiml]

Is it really deprecated? Just seems like the API was down for a short period.

[akondratsky]

Had the same issue a few hours ago. And now again. Does anybody have any context / references?

[janisint]

Note this related issue for pnpm pnpm/pnpm#11265

[jamgregory]

Is it really deprecated? Just seems like the API was down for a short period.

As @janisint points out, there's an outstanding issue with pnpn's audit process showing the full error message. You can see it yourself using curl:

$ curl -X POST https://registry.yarnpkg.com/-/npm/v1/security/audits
{"error":"This endpoint is being retired. Use the bulk advisory endpoint instead. See the following docs for more info: https://api-docs.npmjs.com/#tag/Audit"}

[kerolloz]

Hey guys,
I've created a simple workaround https://github.com/kerolloz/registry-proxy
Mainly a proxy to help you redirect yarn requests to the new working endpoint and it transforms the request/response body so you don't have to worry about it.

But since yarn doesn't support the --registry flag (check #7012), we need to do a couple of steps to make it work.

• Locate your Yarn binary:

  which yarn

• Edit /lib/node_modules/yarn/lib/cli.js
• Update Audit.prototype._fetchAudit:
• Then run YARN_REGISTRY=http://localhost:4873 yarn audit

Screen.Recording.2026-04-15.at.6.47.36.PM.mov

[elawad]

Looks to be back online now.

[fz-ryanbigg]

Looks to be down again. Was there an announcement of this?

[hockdudu]

I asked NPM for clarification on https://github.com/orgs/community/discussions/192768

[jamgregory]

Thanks @hockdudu - I've also raised a query in npm/api-documentation#46 about why those endpoints are undocumented

As of now, yarn audit appears to be working again and the endpoints are responding as expected (I assume!) but obviously it's concerning that there's been no public announcement of this brownout/deprecation, so I'd work on the basis that they'll go away again in future.

As of 10:50am (BST), the API is down again 😭

[Pankeking]

it is working again 🥳

[jamgregory]

it is working again 🥳

It's going to be interesting to see what happens tomorrow. It appears to be online for ~12 hours a day, but those hours are definitely coinciding with the US working day and not anyone else 😭

[maximogismondi]

I think its failing again 🫤