[QUESTION] registry.npmjs.org API/format change for security advisories

[savek-cc]

What / Why

Apparently the endoint at https://registry.npmjs.org/-/npm/v1/security/advisories changed the output format without notice.
Previously, timestamps included a "Z" as a timezone indicator - which was now silently removed, breaking e.g. the DependencyTrack parser.

Is the current version the "new stable" or will it be changed again?

Where

• npm public registry

Who

• @npm/

References

• Related to Error when parsing NPM advisories DependencyTrack/dependency-track#676

[stevespringett]

Other changes to the NPM Advisory API include modifications to the 'next' and 'prev' fields which prevent the API from being paginated without having to create workarounds.

[ljharb]

cc @evilpacket

[evilpacket]

@ljharb thanks for the ping. On the one hand this API was undocumented and is only supported through the official channel that is npm cli (for npm audit) and the website. On the other this is an unexpected change and I've been informed that engineering will likely be working on a fix for it. Triage pending.

[evilpacket]

I just took a look at the advisories output from the referenced endpoint and I think dates should be back to what you are expecting?

{
  "total": 1348,
  "objects": [
    {
      "id": 1518,
      "created": "2020-04-30T18:19:09.542Z",
      "updated": "2020-04-30T18:19:09.542Z",
      "deleted": null,

Again I want to note that these endpoints are undocumented and unsupported and are likely to change in the future. You may want to consider migrating to consume advisory data from the GitHub Advisory database which is available under the Creative Commons Attribution 4.0 license