How to debug 'npm ERR! 403 In most cases, you or one of your dependencies are requesting a package version that is forbidden by your security policy.'
TypescriptNpmJenkins PipelineNexusTypescript Problem Overview
I am currently trying to set up a Jenkins and a private npm repository (Sonatype Nexus). I get the following error when I try to publish to the repository within a Jenkins build pipeline.
+ npm publish --registry https://<my-private-registry>/repository/npm-private/
npm notice
npm notice package: ts-acoustics@0.0.0
npm notice === Tarball Contents ===
npm notice 2.4kB Jenkinsfile
...
('notice' level info about the files)
...
npm notice === Tarball Details ===
npm notice name: ts-acoustics
npm notice version: 0.0.0
npm notice package size: 13.8 kB
npm notice unpacked size: 47.5 kB
npm notice shasum: 554b6d2b41321d78e00f6a309bb61c9181a2e3d6
npm notice integrity: sha512-QtExdu6IqZ+lH[...]r+HXolo4YCFPg==
npm notice total files: 17
npm notice
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://<my-private-registry>/repository/npm-private/ts-acoustics
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy.
I find no further info about why it is forbidden in the Nexus logs and this open GitHub bug tells me that the above error text is leading in the wrong direction in most of the cases?!
Any idea of how to proceed to make publishing work?!
Update 1: I just saw that I have the same problem when I try to publish it manually! So Jenkins is out of the equation for simplicity reasons.
Update 2: I can do npm adduser --registry...
and npm tells me
Logged in as <my-user> on https://<my-private-registry>/repository/npm-private/.
When I do npm whoami --registry...
it displays the correct user name.
When I do npm publish --registry...
in the project, it shows the 403 Error
Typescript Solutions
Solution 1 - Typescript
If you are like me and following the Node Cookbook example, or some other example where you just made your account, your error is probably like mine.
I hadn't verified my email address and got the same error (it was a new account). Once I verified, it worked (even on VPN).
Check your email and verify your account.
Solution 2 - Typescript
This is mainly occur in two scenearios
-
The error may result due to a *conflicting package that is public. Just change the name of the package in the
package.json
and try again! -
You may have signed up recently and forgot to verify the email. So, you can login to this link: https://www.npmjs.com/login
On the header you will see an option to send a verification link to your email. Once you complete the verification, try to publish it again.
Remark: 2) worked for me.
Solution 3 - Typescript
How to debug this:
As you can see by all the answers, there are a lot of things that result in the same failure message. Here is how you can find your root cause:
In the Nexus Repository Manager -> menu entry "Logging"
There you can simply change the log level for each java package Nexus consists of at runtime.
Change all LogLevels for packages including "security" or "rest" to TRACE and trigger your request again.
In the LogViewer (also part of Nexus) you can hopefully see all the necessary information to understand the problem now.
In my case, I had to add the nx-repository-view-*-*-edit
privilege to the role I had created for the user that Jenkins uses to login to Nexus. I thought nx-repository-view-*-*-add
is enough to publish.
Hope it helps!
Solution 4 - Typescript
I got the same error while publishing to JFrog Artifactory. It was the result of already having a package with the same name in the repository. In order to fix this, either delete the old package or change the version/name of the new one.
Solution 5 - Typescript
I had the same error, which seems to be blanket over these issues. I solved it by renaming the package name in package.json. Also make sure you are updating the version as well every time when publishing if you already have a version published.
Solution 6 - Typescript
The error may result due to a conflicting package that is public. Just change the name of the package in the package.json and try again!
Solution 7 - Typescript
I also got this error. I changed the package name of the package.json file, and that fixed the error.
> { "name": "digi-clock", "version": "1.0.0",}
Change the value of this "name"
Solution 8 - Typescript
Solution 9 - Typescript
I had exactly the same NPM ERR! 403 issue and finally it was resolved by disconnecting from all VPN .
Solution 10 - Typescript
I had this issue when I by mistake tried to use read-only access token for publishing a package. I've create myself a new access token in the settings -> account -> access tokens and fixed the issue.
Solution 11 - Typescript
In my case the culprit was the AWS WAF rule EC2MetaDataSSRF_BODY
.
Solution 12 - Typescript
While I don't understand how it's related, updating to the latest version of git resolved this issue for all that were having it in my organization 路♂️
Solution 13 - Typescript
For me an update of npm from v6 to v8 solved the problem. The old package-lock layout had a full registry path for every package and some of these paths were not up-to-date.