From 0d90a011fff411c878ba4b44582f14ef7dbdceb1 Mon Sep 17 00:00:00 2001
From: Juan Heyns <juanheyns@gmail.com>
Date: Wed, 21 Sep 2022 16:46:00 -0400
Subject: [PATCH] fix(audit): add a condition to allow third-party registries
 returning E400 (#5480)

* Add a condition to fix third-party registries returning E400

* changed to a separate test.

Co-authored-by: Juan Heyns <jheyns@mit.edu>
---
 lib/commands/audit.js      |  2 +-
 test/lib/commands/audit.js | 31 ++++++++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/lib/commands/audit.js b/lib/commands/audit.js
index 6ec870f03a8a5..feccefda0c904 100644
--- a/lib/commands/audit.js
+++ b/lib/commands/audit.js
@@ -156,7 +156,7 @@ class VerifySignatures {
       ...key,
       pemkey: `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`,
     }))).catch(err => {
-      if (err.code === 'E404') {
+      if (err.code === 'E404' || err.code === 'E400') {
         return null
       } else {
         throw err
diff --git a/test/lib/commands/audit.js b/test/lib/commands/audit.js
index b6c6c77a2b40a..bfa68955c5c7b 100644
--- a/test/lib/commands/audit.js
+++ b/test/lib/commands/audit.js
@@ -1171,7 +1171,7 @@ t.test('audit signatures', async t => {
     t.matchSnapshot(joinedOutput())
   })
 
-  t.test('third-party registry without keys does not verify', async t => {
+  t.test('third-party registry without keys (E404) does not verify', async t => {
     const registryUrl = 'https://verdaccio-clone2.org'
     const { npm } = await loadMockNpm(t, {
       prefixDir: installWithThirdPartyRegistry,
@@ -1200,6 +1200,35 @@ t.test('audit signatures', async t => {
     )
   })
 
+  t.test('third-party registry without keys (E400) does not verify', async t => {
+    const registryUrl = 'https://verdaccio-clone2.org'
+    const { npm } = await loadMockNpm(t, {
+      prefixDir: installWithThirdPartyRegistry,
+      config: {
+        '@npmcli:registry': registryUrl,
+      },
+    })
+    const registry = new MockRegistry({ tap: t, registry: registryUrl })
+    const manifest = registry.manifest({
+      name: '@npmcli/arborist',
+      packuments: [{
+        version: '1.0.14',
+        dist: {
+          tarball: 'https://registry.npmjs.org/@npmcli/arborist/-/@npmcli/arborist-1.0.14.tgz',
+          integrity: 'sha512-caa8hv5rW9VpQKk6tyNRvSaVDySVjo9GkI7Wj/wcsFyxPm3tYrE' +
+              'sFyTjSnJH8HCIfEGVQNjqqKXaXLFVp7UBag==',
+        },
+      }],
+    })
+    await registry.package({ manifest })
+    registry.nock.get('/-/npm/v1/keys').reply(400)
+
+    await t.rejects(
+      npm.exec('audit', ['signatures']),
+      /found no dependencies to audit that where installed from a supported registry/
+    )
+  })
+
   t.test('third-party registry with keys and signatures', async t => {
     const registryUrl = 'https://verdaccio-clone.org'
     const { npm, joinedOutput } = await loadMockNpm(t, {