diff --git a/lib/importmap/npm.rb b/lib/importmap/npm.rb
index 4a54f85..7eb1cfb 100644
--- a/lib/importmap/npm.rb
+++ b/lib/importmap/npm.rb
@@ -80,6 +80,10 @@ def get_json(uri)
         http.request(request)
       }
 
+      unless response.code.to_i < 300
+        raise HTTPError, "Unexpected error response #{response.code}: #{response.body}"
+      end
+
       response.body
     rescue => error
       raise HTTPError, "Unexpected transport error (#{error.class}: #{error.message})"
@@ -111,6 +115,9 @@ def get_audit
       return {} if body.empty?
 
       response = post_json(uri, body)
+      unless response.code.to_i < 300
+        raise HTTPError, "Unexpected error response #{response.code}: #{response.body}"
+      end
       JSON.parse(response.body)
     end
 
diff --git a/test/npm_test.rb b/test/npm_test.rb
index a53f8b0..b9f7b1a 100644
--- a/test/npm_test.rb
+++ b/test/npm_test.rb
@@ -67,6 +67,22 @@ class Importmap::NpmTest < ActiveSupport::TestCase
     end
   end
 
+  test "failed vulnerable packages with mock" do
+    response = Class.new do
+      def body
+        { "message" => "Service unavailable" }.to_json
+      end
+
+      def code() "500" end
+    end.new
+
+    @npm.stub(:post_json, response) do
+      assert_raises(Importmap::Npm::HTTPError) do
+        vulnerable_packages = @npm.vulnerable_packages
+      end
+    end
+  end
+
   test "successful vulnerable packages with mock" do
     response = Class.new do
       def body