How to debug 'npm ERR! 403 In most cases, you or one of your dependencies are requesting a package version that is forbidden by your security policy.'

Question

I am currently trying to set up a Jenkins and a private npm repository (Sonatype Nexus). I get the following error when I try to publish to the repository within a Jenkins build pipeline.

+ npm publish --registry https://<my-private-registry>/repository/npm-private/
npm notice 
npm notice package: ts-acoustics@0.0.0
npm notice === Tarball Contents === 
npm notice 2.4kB  Jenkinsfile                       
...
('notice' level info about the files)
...
npm notice === Tarball Details === 
npm notice name:          ts-acoustics                            
npm notice version:       0.0.0                                   
npm notice package size:  13.8 kB                                 
npm notice unpacked size: 47.5 kB                                 
npm notice shasum:        554b6d2b41321d78e00f6a309bb61c9181a2e3d6
npm notice integrity:     sha512-QtExdu6IqZ+lH[...]r+HXolo4YCFPg==
npm notice total files:   17                                      
npm notice 
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://<my-private-registry>/repository/npm-private/ts-acoustics
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy.

I find no further info about why it is forbidden in the Nexus logs and this open GitHub bug tells me that the above error text is leading in the wrong direction in most of the cases?!

Any idea of how to proceed to make publishing work?!

---

Update 1: I just saw that I have the same problem when I try to publish it manually!

Jenkins is out of the equation for simplicity reasons.

Update 2: I can do npm adduser --registry... and npm tells me

Logged in as <my-user> on https://<my-private-registry>/repository/npm-private/.

When I do npm whoami --registry... it displays the correct user name.

When I do npm publish --registry... in the project, it shows the 403 Error.

Answer 1

For anyone facing the same/similar in Docker, you can make sure you update npm to the latest version in your Dockerfile: RUN ["npm", "install", "-g", "npm@latest"], before any npm install.

Answer 2

I visited the tarball URL that was getting the 403 and saw this:

You can't download this repository because it's too large. Return to the downloads page or the repository overview. 

So all the experiments with SSH keys, access tokens, .npmrc, and manually editing the lockfile were a wild goose chase. My Bitbucket repo had simply grown larger than 2 GB.

Answer 3

In my case it was a npm registry/mirror issue.

If you are using any registry/mirror, try reset,

npm config set registry https://registry.npmjs.org/

then npm login/npm adduser

Answer 4

I got this error. And I change the package name of the package.json file then after that error was fixed.

{ "name": "digi-clock", "version": "1.0.0",}

change the value of this "name"

Answer 5

For me it helped to login to NPM in command line and then publish.

npm login

npm publish

And make sure to publish a new version.

Answer 6

For me an update of npm from v6 to v8 solved the problem. The old package-lock layout had a full registry path for every package and some of these paths were not up-to-date.

Answer 7

Updating the PACKAGE-VERSION while publishing, fixed the issue for me.

Answer 8

While I don't understand how it's related, updating to the latest version of git resolved this issue for all that were having it in my organization 🤷‍♂️

Answer 9

How to debug this:

As you can see by all the answers, there are a lot of things that result in the same failure message. Here is how you can find your root cause:

In the Nexus Repository Manager -> menu entry "Logging"
There you can simply change the log level for each java package Nexus consists of at runtime.

Change all LogLevels for packages including "security" or "rest" to TRACE and trigger your request again.

In the LogViewer (also part of Nexus) you can hopefully see all the necessary information to understand the problem now.

---

In my case, I had to add the nx-repository-view-*-*-edit privilege to the role I had created for the user that Jenkins uses to login to Nexus. I thought nx-repository-view-*-*-add is enough to publish.

Hope it helps!

Answer 10

In my case the culprit was the AWS WAF rule EC2MetaDataSSRF_BODY.

Answer 11

This is mainly occur in two scenearios

1. The error may result due to a *conflicting package that is public. Just change the name of the package in the package.json and try again!

2. You may have signed up recently and forgot to verify the email. So, you can login to this link: https://www.npmjs.com/login

   On the header you will see an option to send a verification link to your email. Once you complete the verification, try to publish it again.

Remark: 2) worked for me.

Answer 12

I had this issue when I by mistake tried to use read-only access token for publishing a package. I've create myself a new access token in the settings -> account -> access tokens and fixed the issue.

Answer 13

If you are like me and following the Node Cookbook example, or some other example where you just made your account, your error is probably like mine.

I hadn't verified my email address and got the same error (it was a new account). Once I verified, it worked (even on VPN).

Check your email and verify your account.

Answer 14

The error may result due to a conflicting package that is public. Just change the name of the package in the package.json and try again!

Answer 15

I had the same error, which seems to be blanket over these issues. I solved it by renaming the package name in package.json. Also make sure you are updating the version as well every time when publishing if you already have a version published.

Answer 16

I got the same error while publishing to JFrog Artifactory. It was the result of already having a package with the same name in the repository. In order to fix this, either delete the old package or change the version/name of the new one.

Answer 17

I had exactly the same NPM ERR! 403 issue and finally it was resolved by disconnecting from all VPN .