npm added support for `npm audit` in npm@6 and email@example.com to highlight security issues with packages and their dependencies. The npm registry itself just added support for this very recently:
When issuing an `npm audit` call to the npm registry from within a directory with a package.json, an analysis is returned to the console.
When issuing the same request to a VSTS registry, a 400 is presently returned:
Given that this is a security-related matter, is there anything on the roadmap yet for support of this feature?
Vit Mark commented
You can use --registry option to redirect to npm registry, like this:
> npm audit --registry=https://registry.npmjs.org
Mike Heggeseth commented
This is increasingly urgent now that npm has announced that the Node Security Platform service will shutdown on Sep 30, 2018. So you will no longer be able to resort to a one-off `nsp check` if VSTS doesn't support `npm audit`.
Why not just proxy https://<project>.pkgs.visualstudio.com/_packaging/<registry>/npm/registry/-/npm/v1/security/audits through to https://registry.npmjs.org/-/npm/v1/security/audits?
firstname.lastname@example.org added `npm audit fix` which adds more reason to implement this in VSTS. In order to use `npm audit fix`, the registry on a developer's machine needs to be pointed to npm, but running the command then will update package-lock.json with a mix of npm and VSTS registry URLs. Not clean or desired!