npm publish for a package to AWS CodeArtifact repo fails with error "The provided package is configured to block new version publishes."

Question

I've created an AWS CodeArtifact repository with an upstream connection to npmjs.com. After installing the latest publicly available version of the lodash package (4.17.21), I tried to publish a self-patched version to the repository (4.17.50). When I do this, I get the following error:

npm ERR! 400 Bad Request - PUT https://amazon-{redacted}.d.codeartifact.us-west-2.amazonaws.com/npm/test-repository/lodash - The provided package is configured to block new version publishes.

The provided package is configured to block new version publishes

What would cause this action to be blocked? Similar publishes have succeeded in the past, has something recently changed?

Answer 1

CodeArtifact recently released a feature called Package Origin Control (POC) to help avoid unintended intermixing of public (such as from npmjs.com) and private package versions.

This feature lets repository owners block how new versions of a package get pulled into a repository by blocking publishing of new versions and/or downloading upstream versions into the repository. This can help users protect against a “dependency substitution” attack where a package that is intended to be internal-only is published to a public repository with high version number by a malicious actor to trick the build systems to unintentionally consume the malicious external version instead. Blog post on the topic: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610.

Each package in a CodeArtifact repository now has two origin control flags: publish, and upstream. Each can be set to either ALLOW or BLOCK. The publish flag controls whether new versions of the package can be published into the repository, and the upstream flag controls whether new versions of the package present in an upstream repository but not yet retained in the repository will be available through the upstream repository.

If a package first enters a repository as a result of being downloaded from an upstream, then the package has its publish flag set to BLOCK. This is what has happened to the package in question. If you wish to intentionally mix public and private packages, then you will need to set the publish flag for the package to ALLOW. You can do this in the AWS Console on the CodeArtifact package details page (Repositories list -> Repository view -> Package view -> Origin controls section), or via the AWS CLI by calling put-package-origin-configuration like so:

aws codeartifact put-package-origin-configuration --domain test-domain
    --repository test-repository --format npm --package lodash
    --restrictions publish=ALLOW,upstream=BLOCK

Note: As written, this command will allow the publish to succeed, but will prevent pulling additional public versions of lodash into the repository from npmjs.com. While the restrictions can be set to publish=ALLOW,upstream=ALLOW, the safest configuration will always have the public/upstream flags inverted to prevent mixing public and private versions. The restrictions can also be set temporarily in the event you want to publish a patched version of a public package, then return to blocking future publishes.