Getting a strange error when doing npm install from a package.json that has has a dependency to a package (say, my-private-lib) from a private registry.
npm ERR! Cannot convert undefined or null to object
The reason is that even tho we install my-private-lib by specifying a custom registry...
npm install --registry=https://my-custom-registry.com/ my-private-lib --save
...later when you try to do npm install fresh from that package.json, at the stage where it's checking for security advisories etc npm is still going to the public npm registry (from the npm logs)
107 http fetch GET 200 https://registry.npmjs.org/my-private-lib 926ms (cache revalidated)
108 timing metavuln:packument:my-private-lib Completed in 927ms
109 timing command:install Completed in 4869ms
110 verbose stack TypeError: Cannot convert undefined or null to object
110 verbose stack at Function.keys (<anonymous>)
110 verbose stack at Advisory.load (/usr/local/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js:109:33)
110 verbose stack at Calculator.[calculate] (/usr/local/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/lib/index.js:60:14)
110 verbose stack at async Promise.all (index 1)
110 verbose stack at async Map.[init] (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:186:9)
110 verbose stack at async Map.run (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:109:7)
110 verbose stack at async Arborist.reify (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js:158:5)
110 verbose stack at async Install.exec (/usr/local/lib/node_modules/npm/lib/commands/install.js:156:5)
110 verbose stack at async module.exports (/usr/local/lib/node_modules/npm/lib/cli.js:78:5)
Of course the https://registry.npmjs.org/my-private-lib package is an entirely different one to the one I want. One would think if a package was installed with a custom registry that npm would consult that registry for this step - but it does not.
How can I get npm to look at the specified registry for the advisories checking step? (i.e. in the GET call on line 107 in the log above)
Node version 16.16.0
NPM version 8.11.0
