fix(audit): add a condition to allow third-party registries returning E400 (#5480)

juanheyns · web-flow · commit 0d90a011fff4 · 2022-09-21T13:46:00.000-07:00
* Add a condition to fix third-party registries returning E400

* changed to a separate test.

Co-authored-by: Juan Heyns &lt;jheyns@mit.edu&gt;
diff --git a/lib/commands/audit.js b/lib/commands/audit.js
@@ -156,7 +156,7 @@ class VerifySignatures {
       ...key,
       pemkey: `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`,
     }))).catch(err => {
-      if (err.code === 'E404') {
+      if (err.code === 'E404' || err.code === 'E400') {
         return null
       } else {
         throw err
diff --git a/test/lib/commands/audit.js b/test/lib/commands/audit.js
@@ -1171,7 +1171,7 @@ t.test('audit signatures', async t => {
     t.matchSnapshot(joinedOutput())
   })
 
-  t.test('third-party registry without keys does not verify', async t => {
+  t.test('third-party registry without keys (E404) does not verify', async t => {
     const registryUrl = 'https://verdaccio-clone2.org'
     const { npm } = await loadMockNpm(t, {
       prefixDir: installWithThirdPartyRegistry,
@@ -1200,6 +1200,35 @@ t.test('audit signatures', async t => {
     )
   })
 
+  t.test('third-party registry without keys (E400) does not verify', async t => {
+    const registryUrl = 'https://verdaccio-clone2.org'
+    const { npm } = await loadMockNpm(t, {
+      prefixDir: installWithThirdPartyRegistry,
+      config: {
+        '@npmcli:registry': registryUrl,
+      },
+    })
+    const registry = new MockRegistry({ tap: t, registry: registryUrl })
+    const manifest = registry.manifest({
+      name: '@npmcli/arborist',
+      packuments: [{
+        version: '1.0.14',
+        dist: {
+          tarball: 'https://registry.npmjs.org/@npmcli/arborist/-/@npmcli/arborist-1.0.14.tgz',
+          integrity: 'sha512-caa8hv5rW9VpQKk6tyNRvSaVDySVjo9GkI7Wj/wcsFyxPm3tYrE' +
+              'sFyTjSnJH8HCIfEGVQNjqqKXaXLFVp7UBag==',
+        },
+      }],
+    })
+    await registry.package({ manifest })
+    registry.nock.get('/-/npm/v1/keys').reply(400)
+
+    await t.rejects(
+      npm.exec('audit', ['signatures']),
+      /found no dependencies to audit that where installed from a supported registry/
+    )
+  })
+
   t.test('third-party registry with keys and signatures', async t => {
     const registryUrl = 'https://verdaccio-clone.org'
     const { npm, joinedOutput } = await loadMockNpm(t, {
