This ENOAUDIT error occurs when your private npm registry doesn't support the audit API. Use --registry flag to audit against the public npm registry or upgrade your private registry.
The npm audit command requires the registry to implement the security audit API endpoint. When your configured registry (often a private one like Verdaccio, Artifactory, or Nexus) doesn't support audit requests, npm cannot check your dependencies for known vulnerabilities. This is a mismatch between npm's audit feature and the registry's capabilities—most private registries were built before npm audit existed or didn't implement the necessary security endpoints. The error indicates that npm successfully reached your registry but found it doesn't support the audit endpoint.
If you need to unblock installations immediately, disable the audit check:
# Disable audit for a single install
npm install --no-audit
# Disable audit globally (sets in .npmrc)
npm set audit false
# Or manually edit ~/.npmrc and add:
audit=falseNote: This skips vulnerability checks, so have an alternative security scanning process.
Run npm audit against the public npm registry while keeping your private registry for package installations:
# Run audit against public registry
npm audit --registry=https://registry.npmjs.org
# Or use the --audit-level flag to ignore low/moderate vulnerabilities
npm audit --registry=https://registry.npmjs.org --audit-level=highIf using Artifactory, Nexus, or Verdaccio, check your version and upgrade:
Artifactory: npm audit is supported natively. Ensure you have at least one remote repository pointing to registry.npmjs.org.
Nexus Repository Manager: As of version 3.23.0+, npm audit is supported. Upgrade to the latest version.
Verdaccio: Upgrade to the latest version (5.x). The audit command works with recent versions:
npm install -g verdaccio@latestSome enterprise registries require authentication for audit endpoints. Configure credentials in your .npmrc:
# For .npmrc in your project root or ~/.npmrc
registry=https://your-private-registry.com
//your-private-registry.com:_authToken=your-token-here
# For Artifactory with username/password
_auth=$(echo -n "username:password" | base64)Corrupted lock files can cause audit issues. Perform a clean reinstall:
# Remove lock files and node_modules
rm -rf package-lock.json node_modules
# Reinstall everything
npm install
# Then try audit
npm auditIf you get EAUDITNOLOCK error, create the lock file explicitly:
npm install --package-lock-only
npm auditIn Docker or CI/CD, use environment-specific registry configuration:
# Docker example
FROM node:18
WORKDIR /app
COPY package*.json ./
# Install from private registry
RUN npm ci
# Audit against public registry
RUN npm audit --registry=https://registry.npmjs.org || trueThe || true allows the build to continue even if audit finds vulnerabilities.
For enterprise environments, consider these alternatives: (1) JFrog Xray with Artifactory provides vulnerability scanning without depending on npm audit. (2) Setup an npm-audit-proxy to bridge the gap between your private registry and npmjs.org. (3) Verdaccio supports uplinks to npmjs.org; configure it to forward audit requests. (4) For air-gapped environments without internet access, use tools like OWASP Dependency-Check, Snyk, or commercial alternatives for vulnerability scanning on private packages.
npm ERR! code ENOAUDIT npm ERR! Audit endpoint not supported
How to fix "npm ERR! code ENOAUDIT - Audit endpoint not supported"
npm ERR! code EBADDEVENGINES npm ERR! devEngines.runtime incompatible with current node version
How to fix "npm ERR! code EBADDEVENGINES - devEngines.runtime incompatible with current node version"
npm ERR! code ETOOMANYARGS npm ERR! Too many arguments
How to fix "npm ERR! code ETOOMANYARGS - Too many arguments"
npm ERR! code EINVALIDTAGNAME npm ERR! Invalid tag name: tag names cannot contain spaces
How to fix "npm ERR! code EINVALIDTAGNAME - tag names cannot contain spaces"
npm ERR! code E400 npm ERR! 400 Bad Request
How to fix "npm ERR! code E400 - 400 Bad Request" error