Two weeks ago, the NPM endpoint that yarn audit from Yarn v1 uses, decided to stop working:
I imagine this won't be fixed (unfortunately), but it looks like npm has silently deprecated the security audit API that Yarn 1 uses:
yarn audit v1.22.22
error Error: https://registry.yarnpkg.com/-/npm/v1/security/audits: Request "https://registry.yarnpkg.com/-/npm/v1/security/audits" returned a 410
at params.callback [as _callback] (/usr/share/yarn/lib/cli.js:66689:18)
at self.callback (/usr/share/yarn/lib/cli.js:141410:22)
at Request.emit (node:events:517:28)
at Request.<anonymous> (/usr/share/yarn/lib/cli.js:142382:10)
at Request.emit (node:events:517:28)
at IncomingMessage.<anonymous> (/usr/share/yarn/lib/cli.js:142304:12)
at Object.onceWrapper (node:events:631:28)
at IncomingMessage.emit (node:events:529:35)
at endReadableNT (node:internal/streams/readable:1400:12)
at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
info Visit https://yarnpkg.com/en/docs/cli/audit for documentation about this command.
Unless a third-party package can work around this, I expect it'll no longer be possible to audit Yarn 1 packages for security issues.
We use Yarn v1, as it’s been reliably stable for installing NPM packages. Yes, there are newer versions out there. Upgrade attempts have been made, but we’ve ran into issues each time.
There’s also this discussion thread on the GitHub community forum with a great list of questions:
- What is the reason for retiring the Quick Audit / legacy audit endpoints?
- When was this deprecation planned internally?
- Was there any prior public notice? If so, where was it communicated?
- Did npm evaluate whether third-party package managers such as pnpm and Yarn were still relying on these endpoints before returning 410?
- Was there any coordination with pnpm or Yarn maintainers ahead of this change?
- Were the security implications considered for users whose audit workflows stopped working as a result?
- Is the expectation that all non-npm clients should migrate to the Bulk Advisory endpoint immediately?
- Is there a documented migration path or compatibility guidance for third-party clients?
- Is there any plan to temporarily restore the legacy endpoint, or otherwise provide a grace period, until the ecosystem has a stable working solution?
None of these questions were answered by GitHub or NPM support as at the time of writing this 15 days later.
I understand the need for cost reductions and deprecations in software: I am a software developer so of course I understand these.
What I don’t understand is how this could not be communicated plainly in GitHub’s changelog.
It took me contacting NPM support to get an answer. Here’s what I wrote:
The NPM endpoint that 'yarn audit' from Yarn V1.22.2 uses was reporting as "410 Gone" a few weeks ago.
This was raised in a number of GitHub issue threads, including this one: https://github.com/npm/api-documentation/issues/46
It would be helpful to get an NPM maintainer's perspective here. Is the endpoint being shutdown? How much longer do we have with it? Where/how was this brownout communicated?
Thank you
A concerned tech lead who had to manage a team of people freaking out
And their response:
Thanks for reaching out.
I can confirm that the 410s you saw line up with a scheduled brownout for the legacy npm audit endpoints that Yarn v1 calls.
The /-/npm/v1/security/audits and /-/npm/v1/security/audits/quick endpoints are currently in a scheduled brownout. During the brownout window you can see errors like 410, and after July 15, 2026 the old endpoints will be fully retired. We are not able to bring the old endpoint back up temporarily.
The recommended fix is to move your tooling to the newer Bulk Advisory endpoint. You can find the Bulk Advisory API docs here: https://api-docs.npmjs.com/#tag/Audit
Please feel free to submit feedback via GitHub Community, which is reviewed by our Product Managers.
The phrasing “scheduled brownout” here indicates it was communicated in advance somewhere. I assumed I missed the memo, so wrote back:
Thank you for your reply here. You've said "scheduled brownout" but I am not sure what this schedule _is_. Is this documented somewhere? I would require a definitive source for changes to my code require something more than "because FE from GitHub support said so".
And they replied:
I'm looking into this with our team, so I'll follow up once we have an update.
And a few hours later, again from them:
I heard back from our Product team, and we don't have an announcement yet. In the meantime, the recommendation is to follow our Changelog releases for updates.
The changelog feed (https://github.blog/changelog/feed/) has no results for the phrase “npm” “audit” or “endpoint”.
They closed the thread and send the generic NPS email of “please let us know how we went”.
I wrote back two days ago:
Nah man, this isn’t it. You guys have a duty to communicate publicly the timeline of deprecating an endpoint like this. it’s not on your changelog, but it should be.
They wrote back this morning:
I understand your frustration. I've passed along your feedback to our Product team internally. If you haven't done so already, you can do the following as well (another link to the GitHub community page)
I don’t mind that endpoints that I’m relying on are being turned off. Deprecations are par for the course when it comes to software! What I do mind is that it comes as a complete surprise, and has not been communicated anywhere except in a support thread between myself and this support person.
We have a now-known deprecation date of July 15th of this year. That’s motivation enough for us to move our tooling over to npm audit, which now has a very good reason for being prioritised into the work for our teams.
I would think that GitHub, being itself a serious company AND a subsidary of Microsoft, would do a much better job at communicating that an endpoint that people rely on is being turned off. They could fix this very easily by putting up a notice on their Changelog, but so far they haven’t. There’s under 11 weeks to go until this endpoint turns off forever.