feat(npm-cli): add npmAuditRegistry config option (#3583)

* feat(npm-cli): add npmAuditRegistry config option

* fix(npm): getAuditRegistry fallback to publish registry

* Versions

Co-authored-by: Maël Nison <nison.mael@gmail.com>

.yarn/versions/d0edcb62.yml

@@ -0,0 +1,24 @@
+releases:
+  "@yarnpkg/cli": minor
+  "@yarnpkg/plugin-npm": minor
+  "@yarnpkg/plugin-npm-cli": minor
+
+declined:
+  - "@yarnpkg/plugin-compat"
+  - "@yarnpkg/plugin-constraints"
+  - "@yarnpkg/plugin-dlx"
+  - "@yarnpkg/plugin-essentials"
+  - "@yarnpkg/plugin-init"
+  - "@yarnpkg/plugin-interactive-tools"
+  - "@yarnpkg/plugin-nm"
+  - "@yarnpkg/plugin-pack"
+  - "@yarnpkg/plugin-patch"
+  - "@yarnpkg/plugin-pnp"
+  - "@yarnpkg/plugin-pnpm"
+  - "@yarnpkg/plugin-stage"
+  - "@yarnpkg/plugin-typescript"
+  - "@yarnpkg/plugin-version"
+  - "@yarnpkg/plugin-workspace-tools"
+  - "@yarnpkg/builder"
+  - "@yarnpkg/core"
+  - "@yarnpkg/doctor"

packages/plugin-npm-cli/sources/commands/npm/audit.ts

@@ -96,7 +96,7 @@ export default class AuditCommand extends BaseCommand {
       dependencies,
     };
 
-    const registry = npmConfigUtils.getPublishRegistry(workspace.manifest, {
+    const registry = npmConfigUtils.getAuditRegistry(workspace.manifest, {
       configuration,
     });
 
@@ -106,7 +106,7 @@ export default class AuditCommand extends BaseCommand {
       stdout: this.context.stdout,
     }, async () => {
       result = ((await npmHttpUtils.post(`/-/npm/v1/security/audits/quick`, body, {
-        authType: npmHttpUtils.AuthType.NO_AUTH,
+        authType: npmHttpUtils.AuthType.BEST_EFFORT,
         configuration,
         jsonResponse: true,
         registry,

packages/plugin-npm-cli/sources/npmAuditUtils.ts

@@ -183,7 +183,7 @@ export function getReportTree(result: npmAuditTypes.AuditResponse, severity?: np
         },
         Recommendation: {
           label: `Recommendation`,
-          value: formatUtils.tuple(formatUtils.Type.NO_HINT, advisory.recommendation.replace(/\n/g, ` `)),
+          value: formatUtils.tuple(formatUtils.Type.NO_HINT, advisory.recommendation?.replace(/\n/g, ` `)),
         },
       },
     };

packages/plugin-npm/sources/index.ts

@@ -34,6 +34,11 @@ const authSettings = {
 };
 
 const registrySettings = {
+  npmAuditRegistry: {
+    description: `Registry to query for audit reports`,
+    type: SettingsType.STRING as const,
+    default: null,
+  },
   npmPublishRegistry: {
     description: `Registry to push packages to`,
     type: SettingsType.STRING as const,
@@ -52,6 +57,7 @@ declare module '@yarnpkg/core' {
     npmAuthIdent: string | null;
     npmAuthToken: string | null;
 
+    npmAuditRegistry: string | null;
     npmPublishRegistry: string | null;
     npmRegistryServer: string;
 

packages/plugin-npm/sources/npmConfigUtils.ts

@@ -1,6 +1,7 @@
 import {Configuration, Manifest, Ident} from '@yarnpkg/core';
 
 export enum RegistryType {
+  AUDIT_REGISTRY = `npmAuditRegistry`,
   FETCH_REGISTRY = `npmRegistryServer`,
   PUBLISH_REGISTRY = `npmPublishRegistry`,
 }
@@ -14,8 +15,17 @@ export function normalizeRegistry(registry: string) {
   return registry.replace(/\/$/, ``);
 }
 
+// TODO: Remove the fallback on publishConfig
+export function getAuditRegistry(manifest: Manifest, {configuration}: {configuration: Configuration}) {
+  const defaultRegistry = configuration.get(RegistryType.AUDIT_REGISTRY);
+  if (defaultRegistry !== null)
+    return normalizeRegistry(defaultRegistry);
+
+  return getPublishRegistry(manifest, {configuration});
+}
+
 export function getPublishRegistry(manifest: Manifest, {configuration}: {configuration: Configuration}) {
-  if (manifest.publishConfig && manifest.publishConfig.registry)
+  if (manifest.publishConfig?.registry)
     return normalizeRegistry(manifest.publishConfig.registry);
 
   if (manifest.name)