[BUG] npm install is slow when POST-ing to npm/v1/security/advisories/bulk

[fahminlb33]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

If I start a new npm project without existing lockfile, installing even a single package takes a really long time. When I tried to use --verbose, I noticed an API call to https://registry.npmjs.org/-/npm/v1/security/advisories/bulk takes about 15 seconds or even longer to finish.

npm install without lockfile

npm verb reify failed optional dependency /home/fahmi/kodesiana/kodesianaeco/node_modules/fsevents
npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 152243ms
npm WARN deprecated rollup-plugin-inject@3.0.2: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-inject.

npm install with lockfile

npm verb reify failed optional dependency /home/fahmi/kodesiana/kodesianaeco/node_modules/vite/node_modules/@esbuild/android-arm
npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 348ms
npm http fetch GET 200 https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.14.3.tgz 284ms (cache miss)

Expected Behavior

The API call should not take too long or at least provide a clear status update to indicate the process. The current behavior just look like the install process is stuck, but it is not.

My temporary solution is to disable npm audit altogether to avoid this issue, but I know it is not a good thing to do.

Steps To Reproduce

1. Create new empty directory
2. npm init -y
3. Install any package, for example npm install @biomejs/biome --verbose
4. Check the log

Environment

• npm: 10.5.2
• Node.js: 20.12.0
• OS Name: Ubuntu 22.04.3 LTS
• System Model Name: PC
• npm config:

; "global" config from /home/fahmi/.nvm/versions/node/v20.12.0/etc/npmrc

registry = "https://registry.npmjs.org/" 

; "user" config from /home/fahmi/.npmrc

audit = false 

; node bin location = /home/fahmi/.nvm/versions/node/v20.12.0/bin/node
; node version = v20.12.0
; npm local prefix = /home/fahmi/kodesiana/kodesianaeco
; npm version = 10.5.2
; cwd = /home/fahmi/kodesiana/kodesianaeco
; HOME = /home/fahmi
; Run `npm config ls -l` to show all defaults.

[wraithgar]

npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 194ms This is what I get when I try to reproduce. This doesn't look like it's a problem w/ npm itself. It may have been a networking issue or an issue w/ the registry itself. If you are having issues with the npm registry you can go to https://www.npmjs.com/support

[wraithgar]

Full verbose output

npm verbose cli /Users/wraithgar/.nvm/versions/node/v22.0.0/bin/node /Users/wraithgar/.nvm/versions/node/v22.0.0/bin/npm
npm info using npm@10.6.0
npm info using node@v22.0.0
npm verbose title npm install @biomejs/biome
npm verbose argv "install" "@biomejs/biome" "--loglevel" "verbose" "--audit" "true"
npm verbose logfile logs-max:10 dir:/Users/wraithgar/.npm/_logs/2024-04-27T04_10_11_678Z-
npm verbose logfile /Users/wraithgar/.npm/_logs/2024-04-27T04_10_11_678Z-debug-0.log
npm http fetch GET 200 https://registry.npmjs.org/@biomejs%2fbiome 382ms (cache miss)
npm http fetch GET 200 https://registry.npmjs.org/@biomejs%2fcli-win32-x64 156ms (cache miss)
npm http fetch GET 200 https://registry.npmjs.org/@biomejs%2fcli-linux-x64-musl 211ms (cache miss)
npm http fetch GET 200 https://registry.npmjs.org/@biomejs%2fcli-linux-arm64 278ms (cache miss)
npm http fetch GET 200 https://registry.npmjs.org/@biomejs%2fcli-darwin-arm64 288ms (cache miss)
npm http fetch GET 200 https://registry.npmjs.org/@biomejs%2fcli-win32-arm64 293ms (cache miss)
npm http fetch GET 200 https://registry.npmjs.org/@biomejs%2fcli-linux-arm64-musl 152ms (cache miss)
npm http fetch GET 200 https://registry.npmjs.org/@biomejs%2fcli-darwin-x64 316ms (cache miss)
npm http fetch GET 200 https://registry.npmjs.org/@biomejs%2fcli-linux-x64 359ms (cache miss)
npm verbose reify failed optional dependency /Users/wraithgar/Development/npm/scratch/audit/node_modules/@biomejs/cli-win32-x64
npm verbose reify failed optional dependency /Users/wraithgar/Development/npm/scratch/audit/node_modules/@biomejs/cli-win32-arm64
npm verbose reify failed optional dependency /Users/wraithgar/Development/npm/scratch/audit/node_modules/@biomejs/cli-linux-x64-musl
npm verbose reify failed optional dependency /Users/wraithgar/Development/npm/scratch/audit/node_modules/@biomejs/cli-linux-x64
npm verbose reify failed optional dependency /Users/wraithgar/Development/npm/scratch/audit/node_modules/@biomejs/cli-linux-arm64-musl
npm verbose reify failed optional dependency /Users/wraithgar/Development/npm/scratch/audit/node_modules/@biomejs/cli-linux-arm64
npm verbose reify failed optional dependency /Users/wraithgar/Development/npm/scratch/audit/node_modules/@biomejs/cli-darwin-arm64
npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 194ms
npm http fetch GET 200 https://registry.npmjs.org/@biomejs/biome/-/biome-1.7.1.tgz 199ms (cache miss)
npm http fetch GET 200 https://registry.npmjs.org/@biomejs/cli-darwin-x64/-/cli-darwin-x64-1.7.1.tgz 345ms (cache miss)
npm info run @biomejs/biome@1.7.1 postinstall node_modules/@biomejs/biome node scripts/postinstall.js
npm info run @biomejs/biome@1.7.1 postinstall { code: 0, signal: null }

added 2 packages, and audited 3 packages in 2s

found 0 vulnerabilities
npm verbose exit 0
npm info ok