Clarification on retiring the Quick Audit endpoint and the impact on pnpm and Yarn

[hockdudu]

🏷️ Discussion Type

Question

Body

Hi npm team,

I’m opening this to ask for clarification about the retirement of the Quick Audit endpoint:

https://registry.npmjs.org/-/npm/v1/security/audits/quick

Users of other package managers have started seeing this error:

HTTP 410
{"error":"This endpoint is being retired. Use the bulk advisory endpoint instead. See the following docs for more info: https://api-docs.npmjs.com/#tag/Audit"}

There are concrete reports here:

• pnpm: pnpm audit fails with 410: npm registry has retired legacy audit endpoints pnpm/pnpm#11265
• Yarn: yarn audit failing due to 410 error yarnpkg/yarn#9234

From the pnpm report, both legacy audit endpoints are returning 410:

• /-/npm/v1/security/audits/quick
• /-/npm/v1/security/audits

with the response directing clients to the Bulk Advisory endpoint instead.

I completely understand that legacy endpoints sometimes need to be retired, and there may be operational, architectural, or security reasons for doing so. The difficulty here is that audit is part of many users’ security workflow and CI, so when this changes suddenly at the registry level it has consequences outside the npm CLI.

Could you please clarify a few things?

1. What is the reason for retiring the Quick Audit / legacy audit endpoints?
2. When was this deprecation planned internally?
3. Was there any prior public notice? If so, where was it communicated?
4. Did npm evaluate whether third-party package managers such as pnpm and Yarn were still relying on these endpoints before returning 410?
5. Was there any coordination with pnpm or Yarn maintainers ahead of this change?
6. Were the security implications considered for users whose audit workflows stopped working as a result?
7. Is the expectation that all non-npm clients should migrate to the Bulk Advisory endpoint immediately?
8. Is there a documented migration path or compatibility guidance for third-party clients?
9. Is there any plan to temporarily restore the legacy endpoint, or otherwise provide a grace period, until the ecosystem has a stable working solution?

A few other points would also be useful to clarify:

• whether npm had telemetry indicating how much third-party usage still existed on these endpoints,
• whether this was a deliberate retirement rollout or part of an incident,
• whether there is a timeline for final shutdown,
• and how ecosystem maintainers should coordinate with npm on registry API changes like this in the future.

The main concern here is not that change is happening, but that this specific change affects security tooling across the wider JavaScript ecosystem. When audit support stops working unexpectedly in widely used tools, that can mean broken CI, missing vulnerability checks, and uncertainty for maintainers and users.

Even a short clarification would help a lot. It would already be useful to know whether this was an intentional retirement, whether a rollback is possible, and what npm considers the supported path for third-party package managers from here.

Thanks for any context you can share, and for the work involved in maintaining the registry and its security infrastructure.

[sam0737]

Major breaking change like this should be coordinated with yarn, pnpm, bun (if affected?) right?
These are the major consumers of this API for god sake!
And you should have all the matrices watching how many calls are hitting at the API, and could make a better informed decision on how the sunset shall be done.

[jWeck-Software]

I doubt we'll get a proper official response or explanation here.
This kind of sudden breaking change without prior public notice or apparent coordination with major third-party tools (pnpm, Yarn, …) unfortunately seems to be happening more frequently in recent years.

@leobalter @wraithgar @steiza @jeffwidman @jurre @xodene @dhei @dylanatsmith

Would be great to at least get some clarification.

[chadlwilson]

Yeah, this has taken down all scanning from OWASP dependency check for

• all NPM versions
• all PNPM versions
• Yarn Classic/v1 users

We knew the legacy APIs were probably deprecated, but we don’t have the resources of trillion dollar companies like Microsoft nor commercial providers and there was no public deprecation whatsoever - so no idea how they expect people to know their intent in advance and marshall resources.

Nothing is likely to change unless people complain via their companies to their Microsoft and/or GitHub account managers, aside from continuing the shaming of Microsoft for its GH platform near-monopoly’s behaviour towards and with open source (in particular).

I think we all know this most likely wouldn’t be happening if they weren’t trying to lock people into GH, GHA and GHSA as the only reliable ways to get security notifications for the npm ecosystem they exert monopolistic control over.

[hockdudu]

I wonder whether this may be related to the recent HTTP 500 audit errors on packages with active advisories that came up recently: https://github.com/orgs/community/discussions/187544 / pnpm/pnpm#10649

[chadlwilson]

Perhaps they intend to decom it at some point, however breaking it summarily without notice was unintentional enabling of a feature flag / premature brownout.

[chadlwilson]

The APis are still down as far as I can see, so unless they are totally incompetent, there’s nothing premature or unintentional here.

[jamgregory]

It appears to be very intentionally causing problems for people working outside of the US - given it was working at 8am BST but then broken by 10am BST (and is still down now)

[chadlwilson]

How does it make sense to use npm audit on a yarn v1 project? It doesn't understand the lock file so has no idea what versions you are using?

[arcanis]

I'd suggest to upgrade to Yarn v4 if you're still on v1. It automatically imports the lockfile and enable the node_modules install, so migration is typically minimal.

[andreashellwigvw]

@Gecko51 Understood, but then what is the point in reactivating the old endpoint for some hours a day (as it seems)? As I am writing, it is working again.

[marcelstoer]

@Gecko51 I am not sure if this qualifies as a

practical path forward

but it might be an option for some. WDYT?

$ npx synp --force --source-file yarn.lock && npm audit

[devAndreotti]

This retirement affects more than just pnpm and Yarn - it's going to impact CI/CD pipelines that rely on quick audit checks for pre-deployment security validation. The bulk advisory endpoint might work for some workflows, but it introduces additional complexity for automated systems that need fast, lightweight security scanning. Has the npm team considered providing a transitional period or migration guide specifically for CI environments?

[jsuvic]

Hi hockdudu,

Your GitHub issue on the npm Quick Audit endpoint retirement hit home—that 97-upvote signal is real. Third-party APIs retiring or changing shape without early warning is a widespread problem.

Curious: do you have any good patterns for catching those changes before they hit production? Or does it mostly stay reactive until something breaks?

We've been working on exactly that detection workflow (baseline monitoring against live responses).

Jaroslav

[jWeck-Software]

npm/api-documentation#46 (comment)

From GH support:

Thanks for reaching out. I can confirm that the 410s you saw line up with a scheduled brownout for the legacy npm audit endpoints that Yarn v1 calls. The /-/npm/v1/security/audits and /-/npm/v1/security/audits/quick endpoints are currently in a scheduled brownout. During the brownout window you can see errors like 410, and after July 15, 2026 the old endpoints will be fully retired. We are not able to bring the old endpoint back up temporarily. The recommended fix is to move your tooling to the newer Bulk Advisory endpoint. You can find the Bulk Advisory API docs here: https://api-docs.npmjs.com/#tag/Audit Please feel free to submit feedback via GitHub Community, which is reviewed by our Product Managers.

What is interesting, the maintainer of pnpm deleted the issue completely. @pnpm
German proverb: Only a mischievous person would think ill of it.

pnpm: pnpm/pnpm#11265
gone 404

Nothing left, as if it did not happen.
-> https://github.com/search?q=repo%3Apnpm%2Fpnpm+npm+audit&type=issues&s=created&o=desc

Just this merge request: pnpm/pnpm#11268 for v11

[jamgregory]

Glad they got back to @fz-ryanbigg with some more detail - I'd also asked them via email what was going on and hadn't got a concrete response 🫣

Not sure what's going on with pnpm... very odd that they'd suddenly delete the issue without explaining why 🤔

[chadlwilson]

So this is an unannounced but allegedly "scheduled" brownout; with no defined semantics (times of day, periods etc)? First time I have heard of that on a public API with clear active use...

We are not able to bring the old endpoint back up temporarily.

Not sure what this means either; if it's a temporary brownout then isn't it going up and down "temporarily" by definition?

feel free to submit feedback via GitHub Community, which is reviewed by our Product Managers

This seems to be demonstrably untrue, given this thread has no response; and there is still nothing documented?

[pitgrap]

Is posting "AI summarize" a new thing? 😕

[chadlwilson]

I have no idea why people think this is a valuable thing to do. The slopified spam in every public space is maddening.

As usual, it's not even remotely correct.

[NischalBhusal]

The real problem here is not about the technical move but about the process. Deprecation and then removal of a critical endpoint without any coordination with the ecosystem, or at least announcing a deprecation window, puts the security of many applications in jeopardy. Such a decision was avoidable. pnpm and Yarn have an enormous impact on the JavaScript ecosystem. Therefore, making such a change, which will result in broken 'pnpm audit' and 'yarn audit', calls for some communication with maintainers ahead of time before introducing 410 errors in the CI pipeline. It's evident that the npm CLI had already made such a switch to the bulk advisories endpoint beforehand, which makes the lack of communication all the more puzzling.
Here are a few suggestions for the moment:

• Verify whether it was a planned transition or some sort of an incident
• Provide a migration guide aimed at third-party clients
• Think about temporary restoration of the deprecated endpoint until the fix is shipped by pnpm and Yarn

npm is a common platform for the ecosystem. As such, it should follow specific best practices when retiring certain endpoints.

[sam0737]

Dear npm team representatives,

It has now been approximately two weeks since the legacy Quick Audit endpoint began returning 410 responses, yet there has still been no official statement from npm maintainers directly on this thread.

The change is clearly intentional: GitHub Support has already confirmed via the npm/api-documentation repository that this is a scheduled brownout leading to the permanent retirement of the legacy endpoints on July 15, 2026.

In light of this, I respectfully urge the npm team to stand by your decision openly and communicate it clearly. If you dare to implement this change, please have the courage to acknowledge it publicly here and if possible, explain the rationale behind retiring the legacy endpoints, even though the Bulk Advisory alternative has been available for years.

Transparency and accountability of this nature strengthen trust in the npm ecosystem far more than continued silence.
Thank you for your attention.

[fz-ryanbigg]

this is how GH support has been communicating about this issue

not great tbqh

[pitgrap]

Did you check the "changelog" link in the first response and could you find any announcements about the audit endpoints in it?

[jamgregory]

Did you check the "changelog" link in the first response and could you find any announcements about the audit endpoints in it?

I don't know if the changelog they mention is the GitHub one (https://github.blog/changelog/) but that's had nothing in it about API changes.

[jWeck-Software]

Did you check the "changelog" link in the first response and could you find any announcements about the audit endpoints in it?

I don't know if the changelog they mention is the GitHub one (https://github.blog/changelog/) but that's had nothing in it about API changes.

You could say there were indirect clues.

https://github.com/npm/cli/blob/latest/CHANGELOG.md#1100-pre0-2024-11-26
npm/cli#7911

npm will no longer fall back to the old audit endpoint if the bulk advisory request fails.

pnpm/pnpm#10649 (comment)

For npm the audit command works fine, but they seem to use a different endpoint. Unfortunately, the request/response is different (and undocumented?) so a potential fix without relying on npm is not as trivial as switching endpoints.

https://api-docs.npmjs.com/#tag/Audit

There is also no mention of the old Quick API in the registry documentation.

You could say there were plenty of signs that the API wouldn't be available much longer.
But unfortunately, there was no clear indication that a shutdown is imminent.

[chadlwilson]

As a Dependency-Check maintainer, let me say that all of the above is complete nonsense. Ignore it.

If you want advice on ODC look at the ODC GitHub project, not some random GitHub community issue that attracts unmoderated spam.