fix(audit)!: remove fallback to publish registries

.yarn/versions/9bb15e03.yml

@@ -0,0 +1,24 @@
+releases:
+  "@yarnpkg/cli": major
+  "@yarnpkg/plugin-npm": major
+  "@yarnpkg/plugin-npm-cli": major
+
+declined:
+  - "@yarnpkg/plugin-compat"
+  - "@yarnpkg/plugin-constraints"
+  - "@yarnpkg/plugin-dlx"
+  - "@yarnpkg/plugin-essentials"
+  - "@yarnpkg/plugin-init"
+  - "@yarnpkg/plugin-interactive-tools"
+  - "@yarnpkg/plugin-nm"
+  - "@yarnpkg/plugin-pack"
+  - "@yarnpkg/plugin-patch"
+  - "@yarnpkg/plugin-pnp"
+  - "@yarnpkg/plugin-pnpm"
+  - "@yarnpkg/plugin-stage"
+  - "@yarnpkg/plugin-typescript"
+  - "@yarnpkg/plugin-version"
+  - "@yarnpkg/plugin-workspace-tools"
+  - "@yarnpkg/builder"
+  - "@yarnpkg/core"
+  - "@yarnpkg/doctor"

CHANGELOG.md

@@ -19,6 +19,7 @@ Yarn now accepts sponsorships! Please give a look at our [OpenCollective](https:
 - The network settings configuration option has been renamed from `caFilePath` to `httpsCaFilePath`.
 - Set `nmMode` to `hardlinks-local` by default.
 - `yarn workspaces foreach` now automatically enables the `-v,--verbose` flag in interactive terminal environments.
+- `yarn npm audit` no longer takes into account publish registries. Use [`npmAuditRegistry`](https://yarnpkg.com/configuration/yarnrc#npmAuditRegistry) instead.
 
 ### **API Changes**
 
@@ -38,6 +39,8 @@ The following changes only affect people writing Yarn plugins:
 
 - `renderForm`'s `options` argument is now required to enforce that custom streams are always specified.
 
+- `npmConfigUtils.getAuditRegistry` no longer takes a `Manifest` as its first argument.
+
 ### Installs
 
 - The `pnpm` linker avoids creating symlinks that lead to loops on the file system, by moving them higher up in the directory structure.

packages/plugin-npm-cli/sources/commands/npm/audit.ts

@@ -142,9 +142,7 @@ export default class AuditCommand extends BaseCommand {
       dependencies,
     };
 
-    const registry = npmConfigUtils.getAuditRegistry(workspace.manifest, {
-      configuration,
-    });
+    const registry = npmConfigUtils.getAuditRegistry({configuration});
 
     let result!: npmAuditTypes.AuditResponse;
     const httpReport = await LightReport.start({

packages/plugin-npm/sources/npmConfigUtils.ts

@@ -15,13 +15,8 @@ export function normalizeRegistry(registry: string) {
   return registry.replace(/\/$/, ``);
 }
 
-// TODO: Remove the fallback on publishConfig
-export function getAuditRegistry(manifest: Manifest, {configuration}: {configuration: Configuration}) {
-  const defaultRegistry = configuration.get(RegistryType.AUDIT_REGISTRY);
-  if (defaultRegistry !== null)
-    return normalizeRegistry(defaultRegistry);
-
-  return getPublishRegistry(manifest, {configuration});
+export function getAuditRegistry({configuration}: {configuration: Configuration}) {
+  return getDefaultRegistry({configuration, type: RegistryType.AUDIT_REGISTRY});
 }
 
 export function getPublishRegistry(manifest: Manifest, {configuration}: {configuration: Configuration}) {