npm added support for `npm audit` in npm@6 and firstname.lastname@example.org to highlight security issues with packages and their dependencies. The npm registry itself just added support for this very recently:
When issuing an `npm audit` call to the npm registry from within a directory with a package.json, an analysis is returned to the console.
When issuing the same request to a VSTS registry, a 400 is presently returned:
Given that this is a security-related matter, is there anything on the roadmap yet for support of this feature?
Mike Heggeseth commented
This is increasingly urgent now that npm has announced that the Node Security Platform service will shutdown on Sep 30, 2018. So you will no longer be able to resort to a one-off `nsp check` if VSTS doesn't support `npm audit`.
Why not just proxy https://<project>.pkgs.visualstudio.com/_packaging/<registry>/npm/registry/-/npm/v1/security/audits through to https://registry.npmjs.org/-/npm/v1/security/audits?
email@example.com added `npm audit fix` which adds more reason to implement this in VSTS. In order to use `npm audit fix`, the registry on a developer's machine needs to be pointed to npm, but running the command then will update package-lock.json with a mix of npm and VSTS registry URLs. Not clean or desired!