[Bug?]: yarn npm audit --all --recursive ignores certificates settings

[mcandre]

Self-service

• I'd be willing to implement a fix

Describe the bug

When I try to scan my Yarn projects with yarn npm audit --all --recursive, then it silently ignores certificate settings.

It's not obeying httpsCaFilePath in .yarnrc.yml.

It's not obeying OS certificates.

To reproduce

1. Configure a firewall policy to block the yarn npm audit --all --recursive domains.
2. Configure yarn (and corepack!) to use proxies with self signed certificate PEM files.
3. Run yarn npm audit --all --recursive.

Environment

System:
OS: macOS 15.0
CPU: (10) arm64 Apple M1 Pro
Binaries:
Node: 20.17.0 - /private/var/folders/xc/s20l07yj76x8m3h20lmy5jlc0000gn/T/xfs-7493f3de/node
Yarn: 4.3.1 - /private/var/folders/xc/s20l07yj76x8m3h20lmy5jlc0000gn/T/xfs-7493f3de/yarn
npm: 10.8.2 - ~/.asdf/plugins/nodejs/shims/npm

Additional context

By the way, yarn's error trace on SSL problems includes a recommendation to run yarn install to provision missing packages... but that's not applicable. The error handling should skip that recommendation for socket level network errors.

[mcandre]

yarn SCA appears to also ignore NODE_EXTRA_CA_CERTS, causing security scans to fail when behind a proxy using self-signed certificates.

[aep-sunlife]

yarn npm audit... appears to ignore stock NPM registry credentials configuration. May as well rename the subcommand back to yarn audit, instead of implying that yarn SCA actually integrates with the normal npm audit user configuration system, which is confusing.

[aep-sunlife]

Unsure whether httpsCertFilePath is the right key, but that one appears to be ignored as well when constructing the HTTP client handler to communicate with proxies.