Description
The CI security audit step is intermittently failing due to npm’s audit endpoint returning a 410 Gone response. The failure is flaky—sometimes the audit step passes successfully, and other times it fails with the deprecated endpoint error.
This appears to be caused by npm deprecating the legacy audit endpoint used by pnpm audit, combined with inconsistent resolution or fallback behavior in the current toolchain.
Error Output
ERR_PNPM_AUDIT_BAD_RESPONSE The audit endpoint (at https://registry.npmjs.org/-/npm/v1/security/audits) responded with 410:
{"error":"This endpoint is being retired. Use the bulk advisory endpoint instead."}
Error: Process completed with exit code 1.
Where This Occurs
• GitHub Actions → Security Audit job
• Step: Run pnpm audit --audit-level=high --prod
• Environment: CI (Node.js + pnpm setup)
Expected Behavior
• pnpm audit should consistently complete successfully or return valid vulnerability results
• CI pipeline should not fail due to deprecated npm endpoints
• No intermittent (flaky) failures
Actual Behavior
• Audit step fails intermittently with 410 Gone
• Same workflow can pass or fail without code changes
• CI pipeline becomes unreliable and may block downstream steps
Root Cause
• npm has deprecated the legacy audit endpoint (/-/npm/v1/security/audits)
• Current pnpm/npm setup in CI sometimes still attempts to use the old endpoint
• Behavior appears inconsistent, leading to flaky results
• Requires updated npm/pnpm versions that fully support the new bulk advisory endpoint
Proposed Fix
• Upgrade Node.js to version 24 (includes newer npm with updated audit behavior)
• Ensure npm is updated to latest version (npm install -g npm@latest)
• Verify pnpm version compatibility with new npm audit API
• Alternatively, temporarily disable audit step or adjust flags if blocking CI
Additional Context
• Related npm issue: npm/cli#8976
• This may impact all CI pipelines relying on pnpm audit without updated tooling
Next Steps
Description
The CI security audit step is intermittently failing due to npm’s audit endpoint returning a
410 Goneresponse. The failure is flaky—sometimes the audit step passes successfully, and other times it fails with the deprecated endpoint error.This appears to be caused by npm deprecating the legacy audit endpoint used by
pnpm audit, combined with inconsistent resolution or fallback behavior in the current toolchain.Error Output
Where This Occurs
• GitHub Actions → Security Audit job
• Step:
Run pnpm audit --audit-level=high --prod• Environment: CI (Node.js + pnpm setup)
Expected Behavior
•
pnpm auditshould consistently complete successfully or return valid vulnerability results• CI pipeline should not fail due to deprecated npm endpoints
• No intermittent (flaky) failures
Actual Behavior
• Audit step fails intermittently with
410 Gone• Same workflow can pass or fail without code changes
• CI pipeline becomes unreliable and may block downstream steps
Root Cause
• npm has deprecated the legacy audit endpoint (
/-/npm/v1/security/audits)• Current pnpm/npm setup in CI sometimes still attempts to use the old endpoint
• Behavior appears inconsistent, leading to flaky results
• Requires updated npm/pnpm versions that fully support the new bulk advisory endpoint
Proposed Fix
• Upgrade Node.js to version 24 (includes newer npm with updated audit behavior)
• Ensure npm is updated to latest version (
npm install -g npm@latest)• Verify pnpm version compatibility with new npm audit API
• Alternatively, temporarily disable audit step or adjust flags if blocking CI
Additional Context
• Related npm issue: npm/cli#8976
• This may impact all CI pipelines relying on
pnpm auditwithout updated toolingNext Steps