Fix: Yarn Npm Audit Crash With Gemfury - Debugging Tips

Hey guys,

Encountering crashes while running yarn npm audit can be super frustrating, especially when you're trying to keep your project secure. In this article, we'll dive into a specific bug report where a user experienced this issue, likely due to the interaction between Yarn, Gemfury (a private npm registry), and SSL verification. We'll break down the problem, explore potential causes, and offer solutions to help you get your audits running smoothly again. Let’s get started!

The Bug: yarn npm audit Crashing

Let's start by describing the bug, running yarn npm audit on the latest version of Yarn resulted in a crash with a lengthy error message. This error message, while intimidating, gives us clues about what might be going wrong. Here’s the gist of the error:

/Users/remyvillulles/.cache/node/corepack/v1/yarn/4.10.3/yarn.js:146
`)}`}}};Ln.RequestError=us;var eR=class extends us{constructor(e){super(`Redirected ${e.options.maxRedirects} times. Aborting.`,{},e),this.name="MaxRedirectsError"}};
...

This error trace indicates an issue within Yarn's core files, specifically related to request handling and possibly redirects or SSL-related configurations. The user also provided their .yarnrc.yml file, which gives us more context about their setup.

Analyzing the yarn npm audit Configuration

The .yarnrc.yml file is key to understanding the problem. Let’s break down the relevant parts:

npmRegistryServer: "https://npm-proxy.fury.io/mycompanyname/"

# Configure scoped packages to use Gemfury registry
npmScopes:
  mycompanyname:
    npmRegistryServer: "https://npm-proxy.fury.io/mycompanyname/"


# Disable SSL verification (equivalent to ca=null in .npmrc)
enableStrictSsl: false

# Enable modern features
nodeLinker: node-modules

# Performance optimizations
enableGlobalCache: true

• npmRegistryServer: This setting points Yarn to Gemfury as the primary npm registry. Gemfury acts as a proxy, allowing private packages and potentially caching public ones.
• npmScopes: This further configures Yarn to use the Gemfury registry for packages under the mycompanyname scope.
• enableStrictSsl: false: This is a critical setting. It disables strict SSL verification, meaning Yarn will not validate the SSL certificate of the registry. While this might seem like a quick fix for SSL issues, it can expose your system to security risks.
• nodeLinker: node-modules: This tells Yarn to use the traditional node_modules structure.
• enableGlobalCache: true: This enables Yarn’s global cache for performance improvements.

Identifying the Core Issue with yarn npm audit

The most likely culprit here is the combination of Gemfury, disabled SSL verification, and how yarn npm audit interacts with the registry. Here’s a breakdown of potential issues:

1. SSL Issues with Gemfury: Disabling enableStrictSsl suggests there might be an underlying issue with SSL certificate validation when connecting to Gemfury. This could be due to a misconfigured certificate on the Gemfury side, or issues with the local system's certificate store.
2. yarn npm audit and Registry Redirection: The yarn npm audit command likely makes requests to the configured npm registry to check for vulnerabilities. If Gemfury is acting as a proxy, it might be involved in redirecting these requests. The error message mentioning “MaxRedirectsError” hints at potential issues with this redirection process.
3. Yarn Bug with Custom Registries: It’s also possible there’s a bug in Yarn’s handling of npm audit when used with custom registries like Gemfury, especially concerning SSL and authentication.

To further clarify the problem, let's delve into the steps you can take to reproduce this bug and try to fix it.

Steps to Reproduce the Bug

To reproduce the bug, follow these steps:

1. Set up a Project: Create a new Node.js project or use an existing one.
2. Configure Yarn:
   • Create a .yarnrc.yml file in your project root.
   • Add the configuration provided by the user (with your Gemfury URL and enableStrictSsl: false).
3. Install Dependencies: Run yarn install to install your project dependencies.
4. Run Audit: Execute yarn npm audit.

If the bug is present, you should see the crash with the error message detailed earlier.

Environment Details

The user provided valuable environment information:

System:
    OS: macOS 26.0.1
    CPU: (10) arm64 Apple M1 Max
  Binaries:
    Node: 22.15.0 - /private/var/folders/d8/w4mqy9416kldjbf4tvfjks7r0000gn/T/xfs-7f49dc59/node
    Yarn: 4.10.3 - /private/var/folders/d8/w4mqy9416kldjbf4tvfjks7r0000gn/T/xfs-7f49dc59/yarn
    npm: 10.9.2 - /Users/remyvillulles/.nvm/versions/node/v22.15.0/bin/npm
  npmPackages:
    jest: ^29.7.0 => 29.7.0

• OS: macOS 26.0.1 (This is likely macOS 12 or 13, as macOS versions don't go up to 26.)
• CPU: arm64 Apple M1 Max (This indicates an Apple Silicon Mac).
• Node: 22.15.0
• Yarn: 4.10.3
• npm: 10.9.2

This information is crucial because the bug might be specific to this combination of OS, architecture, and tool versions.

Troubleshooting and Solutions for yarn npm audit

Now, let's explore potential solutions and troubleshooting steps to fix the yarn npm audit crash:

1. Re-enable SSL Verification (and Fix Underlying SSL Issues)

The first and most important step is to try re-enabling strict SSL verification by removing or commenting out enableStrictSsl: false in your .yarnrc.yml file.

If this immediately causes SSL errors, you'll need to address the underlying SSL issue. This might involve:

• Contacting Gemfury Support: Check with Gemfury to ensure their SSL certificates are correctly configured and valid.

• Adding Gemfury's CA to your System: You might need to add Gemfury's Certificate Authority (CA) to your system's trusted certificates. The exact steps for this vary depending on your OS.

• Using ca Setting: You can also try explicitly specifying the CA certificate in your .yarnrc.yml:

  enableStrictSsl: true
  httpsCaFilePath: /path/to/gemfury-ca.pem
  

  You'll need to obtain the Gemfury CA certificate and save it to a file.

2. Update Yarn

Ensure you're using the latest version of Yarn. Bugs are often fixed in newer releases. You can update Yarn using Corepack:

corepack prepare yarn@latest --activate

This command updates Yarn to the latest version and activates it for your project.

3. Check for Proxy Issues

If you're using a proxy, ensure it's correctly configured and not interfering with SSL connections. You might need to set http_proxy and https_proxy environment variables.

4. Clear Yarn Cache

A corrupted cache can sometimes cause issues. Try clearing Yarn's cache:

yarn cache clean

5. Try npm audit Directly

As a workaround, you can try running npm audit directly. This will use npm's auditing mechanism instead of Yarn's. However, this might not respect your Yarn-specific configurations.

6. Investigate Network Connectivity

Ensure your machine has a stable internet connection and can reach the Gemfury registry. Try using ping or curl to test connectivity.

7. Review Gemfury Configuration

Double-check your Gemfury configuration, including your authentication token and registry URL, to ensure they are correct.

8. Check for Conflicting Configurations

Look for any conflicting configurations in your .npmrc file or environment variables that might be overriding Yarn's settings.

9. File a Bug Report with Yarn

If none of the above solutions work, it's possible there's a bug in Yarn. File a detailed bug report on the Yarn GitHub repository, including your environment information, .yarnrc.yml file (with sensitive information redacted), and steps to reproduce the issue.

Conclusion on yarn npm audit Crash

Troubleshooting yarn npm audit crashes often involves a process of elimination. Start by addressing potential SSL issues, updating Yarn, and checking your network configuration. Remember, disabling SSL verification should be a last resort due to the security implications. By systematically working through these steps, you should be able to identify and resolve the issue, ensuring your projects stay secure. I hope this article was helpful in guiding you through the debugging process.

For further information on Yarn and npm audit, consider checking out the official npm documentation.