Is your feature request related to a problem? Please describe.
The YarnAuditAnalyzer when running in Yarn v1/classic mode currently relies on the NPM /quick security audit API. This has had some recent stability problems, but as of 15 April 2026 it has started largely returning HTTP 410 errors with This endpoint is being retired. Use the bulk advisory endpoint instead. See the following docs for more info: https://api-docs.npmjs.com/#tag/Audit
At time of writing, there appears to be nothing official on GitHub/npm blog : https://github.blog/tag/npm/
Describe the solution you'd like
We'll have to evaluate using the bulk advisories endpoint, or whether we should be directly integrating at all for Yarn v1.
https://api-docs.npmjs.com/#tag/Audit/operation/bulkAudit
Yarn v1 CLI yarn audit is likely completely broken now and seems unlikely to be updated. It may be we should drop yarn v1 support entirely.
https://endoflife.date/yarn
Yarn Classic (v1) entered maintenance mode in January 2020 and will eventually reach end-of-life.
Yarn Classic only receives critical and security fixes.
Additional context
If the 410s continue, in the meantime there may be no choice but for users to disable the analyzer. We may need to add config to support disabling for v1/Classic without disabling for v2+/berry, however - if are executing scans for projects that contain both types of projects.
Is your feature request related to a problem? Please describe.
The YarnAuditAnalyzer when running in Yarn v1/classic mode currently relies on the NPM /quick security audit API. This has had some recent stability problems, but as of 15 April 2026 it has started largely returning HTTP 410 errors with
This endpoint is being retired. Use the bulk advisory endpoint instead. See the following docs for more info: https://api-docs.npmjs.com/#tag/AuditAt time of writing, there appears to be nothing official on GitHub/npm blog : https://github.blog/tag/npm/
Describe the solution you'd like
We'll have to evaluate using the bulk advisories endpoint, or whether we should be directly integrating at all for Yarn v1.
https://api-docs.npmjs.com/#tag/Audit/operation/bulkAudit
Yarn v1 CLI
yarn auditis likely completely broken now and seems unlikely to be updated. It may be we should drop yarn v1 support entirely.https://endoflife.date/yarn
Additional context
If the
410s continue, in the meantime there may be no choice but for users to disable the analyzer. We may need to add config to support disabling for v1/Classic without disabling for v2+/berry, however - if are executing scans for projects that contain both types of projects.