npm Client Implications for npm Audit Signatures

JFrog Artifactory Documentation

Products
JFrog Artifactory
Content Type
User Guide
ft:sourceType
Paligo

Working With Remote Repositories

When running npm audit signatures from a remote repository, the signature process is up to the upstream registry. The official npm registry already signs using ECDSA, therefore the Artifactory provides the signature directly from the remote repository.

Please note that if you are pointing to a different remote repository and want to use the audit signatures command, you must verify that the upstream registry is signing the packages: otherwise, the audit command will always show you exceptions.

Working With Virtual Repositories

When running npm audit signatures from a virtual repository, make sure to enable ECDSA signing on all of your local repositories nested under the virtual repository, so that all of the packages will be signed.

In addition, verify that all your remote repositories are pointing to registries that are signing the packages.

Avoid mixing signed and unsigned repositories in Virtual repositories

If you mix repositories with signed and unsigned packages, the npm audit signatures command will always display an error that you have packages that do not have signatures. This is expected, of course, but will stop the npm client from continuing its usual actions, e.g. proceeding to download packages.