In our project the dependency-check fails on the Node Audit analyzer with the error:

Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.

However, this is NOT the same problem as in #2641

Investigating I found out that in fact the payload, which is generated in https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzer.java#L184, seems not to be accepted by the NPM REST API.

What I did was

• run the dependency check (in my case throught the CLI like this: dependency-check -s . --disableYarnAudit --log dependencycheck.log
• open the file dependencycheck.log and find the payload in there (close to the line Node Audit Payload) and copy it
• run the call to https://registry.npmjs.org/-/npm/v1/security/audits manually with curl or Postman like this

curl --location --request POST 'https://registry.npmjs.org/-/npm/v1/security/audits' \
--header 'Content-Type: application/json' \
--data-raw 'PLACE-PAYLOAD-HERE'

and I get the same error

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "Invalid package tree, run  npm install  to rebuild your package-lock.json"
}

When I run npm audit it works though, so I think it's not a problem with my package-lock.json or with NPM.

Here is the payload in our example
nodeaudit_payload.txt

So, the problem must be somewhere in NpmPayloadBuilder.java.

Stripping down the payload on a trial-and-error basis, the error persists and only goes away when the entries in section requires resemble the entries in section dependencies - but not sure if that is really the rule.