[BUG] Third party registry returns E400 on /-/npm/v1/keys for npm audit signatures

[juanheyns]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

npm audit signatures skips audit on dependencies when registry does not return signing keys.

The method used to determine if the repository supports signing keys is to look for a E404, but some third-party registries return E400 instead.

Expected Behavior

In addition to expecting E404 also check for E400 to indicate that the third-party registry does not return signing keys.

Steps To Reproduce

1. Sonatype Nexus Repository Manager OSS 3.33.0-01
2. Dependency resolved from third-party registry
3. Run 'npm audit signatures'
4. See error:

0 verbose cli /Users/user1/.n/bin/node /Users/user1/.n/bin/npm
1 info using [email protected]
2 info using [email protected]
3 timing npm:load:whichnode Completed in 0ms
4 timing config:load:defaults Completed in 1ms
5 timing config:load:file:/Users/user1/.n/lib/node_modules/npm/npmrc Completed in 1ms
6 timing config:load:builtin Completed in 1ms
7 timing config:load:cli Completed in 1ms
8 timing config:load:env Completed in 1ms
9 timing config:load:file:/Users/user1/Source/github.org.tld/ist-org/atlas-control-plane/cdk/.npmrc Completed in 12ms
10 timing config:load:project Completed in 14ms
11 timing config:load:file:/Users/user1/.npmrc Completed in 1ms
12 timing config:load:user Completed in 1ms
13 timing config:load:file:/Users/user1/.n/etc/npmrc Completed in 1ms
14 timing config:load:global Completed in 1ms
15 timing config:load:validate Completed in 0ms
16 timing config:load:credentials Completed in 1ms
17 timing config:load:setEnvs Completed in 1ms
18 timing config:load Completed in 22ms
19 timing npm:load:configload Completed in 22ms
20 timing npm:load:mkdirpcache Completed in 1ms
21 timing npm:load:mkdirplogs Completed in 0ms
22 verbose title npm audit signatures
23 verbose argv "audit" "signatures"
24 timing npm:load:setTitle Completed in 17ms
25 timing config:load:flatten Completed in 3ms
26 timing npm:load:display Completed in 4ms
27 verbose logfile logs-max:10 dir:/Users/user1/.npm/_logs
28 verbose logfile /Users/user1/.npm/_logs/2022-09-07T21_27_10_677Z-debug-0.log
29 timing npm:load:logFile Completed in 5ms
30 timing npm:load:timers Completed in 0ms
31 timing npm:load:configScope Completed in 0ms
32 timing npm:load Completed in 51ms
33 verbose loading installed dependencies
34 timing arborist:ctor Completed in 1ms
35 silly logfile start cleaning logs, removing 1 files
36 silly logfile done cleaning log files
37 timing arborist:ctor Completed in 0ms
38 http fetch GET 200 https://registry.npmjs.org/-/npm/v1/keys 25ms (cache hit)
39 http fetch GET 400 https://nexus.org.tld/repository/npm-ist/-/npm/v1/keys 197ms (cache skip)
40 timing command:audit Completed in 585ms
41 verbose stack HttpErrorGeneral: 400 Bad Request - GET https://nexus.org.tld/repository/npm-ist/-/npm/v1/keys
41 verbose stack     at /Users/user1/.n/lib/node_modules/npm/node_modules/npm-registry-fetch/lib/check-response.js:93:15
41 verbose stack     at processTicksAndRejections (node:internal/process/task_queues:96:5)
41 verbose stack     at async VerifySignatures.setKeys (/Users/user1/.n/lib/node_modules/npm/lib/commands/audit.js:152:18)
41 verbose stack     at async Promise.all (index 0)
41 verbose stack     at async VerifySignatures.run (/Users/user1/.n/lib/node_modules/npm/lib/commands/audit.js:41:5)
41 verbose stack     at async Audit.auditSignatures (/Users/user1/.n/lib/node_modules/npm/lib/commands/audit.js:433:5)
41 verbose stack     at async Audit.exec (/Users/user1/.n/lib/node_modules/npm/lib/commands/audit.js:371:7)
41 verbose stack     at async module.exports (/Users/user1/.n/lib/node_modules/npm/lib/cli.js:78:5)
42 verbose statusCode 400
43 verbose pkgid keys
44 verbose cwd /Users/user1/Source/github.org.tld/ist-org/atlas-control-plane/cdk
45 verbose Darwin 21.6.0
46 verbose node v16.17.0
47 verbose npm  v8.15.0
48 error code E400
49 error 400 Bad Request - GET https://nexus.org.tld/repository/npm-ist/-/npm/v1/keys
50 verbose exit 1
51 timing npm Completed in 776ms
52 verbose code 1
53 error A complete log of this run can be found in:
53 error     /Users/user1/.npm/_logs/2022-09-07T21_27_10_677Z-debug-0.log

Environment

• npm: 8.15.0
• Node.js: v16.17.0
• OS Name: macOS 12.5 (Monterey)
• npm config:

; "user" config from /Users/user1/.npmrc

; @org:registry = "https://nexus.org.tld/repository/npm-ist/" ; overridden by project
//nexus.org.tld/repository/npm-ist/:_auth = (protected) 
//nexus.org.tld/repository/npm-ist/:always-auth = true 

; "project" config from /Users/user1/Source/github.org.tld/ist-org/atlas-control-plane/cdk/.npmrc

@org:registry = "https://nexus.org.tld/repository/npm-ist/" 

; node bin location = /Users/user1/.n/bin/node
; node version = v16.17.0
; npm local prefix = /Users/user1/Source/github.org.tld/ist-org/atlas-control-plane/cdk
; npm version = 8.15.0
; cwd = /Users/user1/Source/github.org.tld/ist-org/atlas-control-plane/cdk
; HOME = /Users/user1
; Run `npm config ls -l` to show all defaults.