[BUG] 403 when publishing the scoped package

[FRSgit]

What / Why

When I try to publish public package under my organization's scope I get 403. Logging out & in back again doesn't help. At the same time it's possible for me to publish a non-scoped package connected with the same account.

When

Every time.

Where

• npm public registry

How

Current Behavior

• I try to publish new package with use of command: npm publish --access=public.
• This results in output:

npm ERR! code E403
npm ERR! 403 Forbidden - PUT https://registry.npmjs.org/@frsource%2frs-replace - Forbidden

Click for full logs

0 info it worked if it ends with ok
1 verbose cli [ '/usr/local/Cellar/node@10/10.16.0/bin/node',
1 verbose cli   '/usr/local/opt/node@10/bin/npm',
1 verbose cli   'publish',
1 verbose cli   '--access=public' ]
2 info using npm@6.9.0
3 info using node@v10.16.0
4 verbose npm-session 9e63c1cde6bc3ea4
5 verbose publish [ '.' ]
6 info lifecycle @frsource/replace@2.1.0~prepublish: @frsource/replace@2.1.0
7 info lifecycle @frsource/replace@2.1.0~prepare: @frsource/replace@2.1.0
8 info lifecycle @frsource/replace@2.1.0~prepublishOnly: @frsource/replace@2.1.0
9 info lifecycle @frsource/replace@2.1.0~prepack: @frsource/replace@2.1.0
10 info lifecycle @frsource/replace@2.1.0~postpack: @frsource/replace@2.1.0
11 notice
12 notice 📦  @frsource/replace@2.1.0
13 notice === Tarball Contents ===
14 notice 2.0kB   package.json
14 notice 5.1kB   CHANGELOG.md
14 notice 42B     index.js
14 notice 11.4kB  LICENSE
14 notice 11.4kB  README.md
14 notice 184.5kB yarn.lock
14 notice 4.8kB   bin/cli.js
14 notice 3.3kB   src/replace.js
15 notice === Tarball Details ===
16 notice name:          @frsource/replace
16 notice version:       2.1.0
16 notice package size:  84.7 kB
16 notice unpacked size: 222.5 kB
16 notice shasum:        6605ad0bed87d0f03a224c796d14e3342dd205b2
16 notice integrity:     sha512-9VEHk9NI1sXFQ[...]8W7b+05wGQdDw==
16 notice total files:   8
17 notice
18 http fetch PUT 403 https://registry.npmjs.org/@frsource%2freplace 1231ms
19 verbose stack Error: 403 Forbidden - PUT https://registry.npmjs.org/@frsource%2freplace - Forbidden
19 verbose stack     at res.buffer.catch.then.body (/usr/local/Cellar/node@10/10.16.0/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:104:15)
19 verbose stack     at process._tickCallback (internal/process/next_tick.js:68:7)
20 verbose statusCode 403
21 verbose pkgid @frsource/replace@2.1.0
22 verbose cwd /Users/jakubfreisler/Projects/Web/FRS-replace
23 verbose Darwin 18.7.0
24 verbose argv "/usr/local/Cellar/node@10/10.16.0/bin/node" "/usr/local/opt/node@10/bin/npm" "publish" "--access=public"
25 verbose node v10.16.0
26 verbose npm  v6.9.0
27 error code E403
28 error 403 Forbidden - PUT https://registry.npmjs.org/@frsource%2freplace - Forbidden
29 verbose exit [ 1, true ]

Steps to Reproduce

• with package.json config like this:

{
  "name": "@frsource/frs-replace",
  "version": "2.1.0",
  "description": "Simple wrapper around javascript replace with CLI usage support!",
  "bin": {
    "frs-replace": "./src/cli.js"
  },
  "main": "index.js",
  "repository": {
    "type": "git",
    "url": "git+https://github.com/FRSource/frs-replace.git"
  },
  "author": "Jakub Freisler <FRSgit@users.noreply.github.com>",
  "license": "Apache-2.0"
}

• run npm publish --access=public

Expected Behavior

• package should get published

Who

• @frsgit
• @frsource

References

• n/a

[FRSgit]

Any ideas on what's going on here?

[ljharb]

The first version of a scoped package needs to be published explicitly with --access public. have you tried that?

[FRSgit]

Hi @ljharb! Yea, as I wrote in Current Behaviour section above I have tried that and unfortunately it still fails miserably 😞
Any other ideas? I think I've tried everything, but still cannot make the scoped publish working 😭

[ljharb]

And you're sure that npm whoami has the ability to create new packages in the org?

[FRSgit]

npm whoami returns frsgit who is the owner of frsource org (have a look at the screenshot below).

[FRSgit]

Is there any other way of checking what are ones privileges in the organisation than through the web interface?

[ljharb]

npm access ls-packages

[FRSgit]

@ljharb With this comment you've helped poor man who was struggling for last 2 months 💯
The package just got published under new organisation! 🎉
I had the team created in the organisation for this exact package, but my account wasn't in the team 🤦
Maybe empty teams should be better highlighted or sth? There is no way I would think about this. Well, but after I've added myself to the package team I was able to publish the package, so the problem got resolved. Once again @ljharb, big thank you! 👍

[elaijuh]

I have the same problem here. Based on my understanding, a org member can create packages whether he is or is not in a team. So is this NPM bug?

[FRSgit]

For me the problem was that I was trying to update a package whilst being a creator of the organisation but not a part of package's team.
Without being in the team I wasn't able to update the package at all. Dunno how it works for creating of new packages, but I think for this you just need to be a part of the organisation, no?
It's also possible what's you're talking about is a separate issue.

[elaijuh]

I was invited to an org as a member. But I cannot npm publish --access public a new package and see any of the packages under this Org. According to https://docs.npmjs.com/adding-members-to-your-org, there is a developers team, but I don't see that team and I am not under that team by default.

[FRSgit]

Developers team is a default one, but the organisation admin can revoke access of it's members to any of the packages. Maybe you should be added to any of the other of organization's teams?
Nevertheless, that's a completely different issue than the one I've faced here - if it still persist, maybe think about creating new issue?

[elaijuh]

Actually my confusing is why owner cannot publish packages until he is under some team. Maybe it's the design of NPM, just feel weird and want to clarify this. It's OK to close the issue.

[FRSgit]

Yea, that's just how it's implemented. But for a half a year I didn't get the official response from NPM on this, so I guess we just have to live with it 🤷

[nehadlakha]

npm ERR! code E403
npm ERR! 403 403 Forbidden - GET http://192.168.1.51:8090/ips/block/webcat?cat=1035&pl=0&url=aHR0cDovL3JlZ2lzdHJ5Lm5wbWpzLm9yZy9wcm94eS1hZGRy
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.

npm ERR! A complete log of this run can be found in:

I am having this error whenever I am trying to install any package using npm. Please help me resolve it

[vladyslavpron]

npm ERR! code E403 npm ERR! 403 403 Forbidden - GET http://192.168.1.51:8090/ips/block/webcat?cat=1035&pl=0&url=aHR0cDovL3JlZ2lzdHJ5Lm5wbWpzLm9yZy9wcm94eS1hZGRy npm ERR! 403 In most cases, you or one of your dependencies are requesting npm ERR! 403 a package version that is forbidden by your security policy, or npm ERR! 403 on a server you do not have access to.

npm ERR! A complete log of this run can be found in:

I am having this error whenever I am trying to install any package using npm. Please help me resolve it

I have same issue, found a messy workaround:
Install private dependencies with:
https://<username>:<access_token>@github.com/<organisation>/<repo>.git
(you can specify this in package.json, instead of module version)
Don't forget to remove your access token before pushing code into repository!

But I still would like to receive a better way of doing this :/

[rahulmakhija-betaflux]

@vladyslavpron Try this, Works for me
Create a file .npmrc with the below fields in the root directory.
Username:
Password:
Email:
npm.pkg.github.com/:_authToken=
@organisation_name:registry=https://npm.pkg.github.com

[vladyslavpron]

@vladyslavpron Try this, Works for me Create a file .npmrc with the below fields in the root directory. Username: Password: Email: npm.pkg.github.com/:_authToken= @organisation_name:registry=https://npm.pkg.github.com

My issue was solved, it happened that my organization kinda failed up access, thats why it was not working. But thank you for reaching out!