typescriptnpmjenkins-pipelinenexus

How to debug 'npm ERR! 403 In most cases, you or one of your dependencies are requesting a package version that is forbidden by your security policy.'


I am currently trying to set up a Jenkins and a private npm repository (Sonatype Nexus). I get the following error when I try to publish to the repository within a Jenkins build pipeline.

+ npm publish --registry https://<my-private-registry>/repository/npm-private/
npm notice 
npm notice package: ts-acoustics@0.0.0
npm notice === Tarball Contents === 
npm notice 2.4kB  Jenkinsfile                       
...
('notice' level info about the files)
...
npm notice === Tarball Details === 
npm notice name:          ts-acoustics                            
npm notice version:       0.0.0                                   
npm notice package size:  13.8 kB                                 
npm notice unpacked size: 47.5 kB                                 
npm notice shasum:        554b6d2b41321d78e00f6a309bb61c9181a2e3d6
npm notice integrity:     sha512-QtExdu6IqZ+lH[...]r+HXolo4YCFPg==
npm notice total files:   17                                      
npm notice 
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://<my-private-registry>/repository/npm-private/ts-acoustics
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy.

I find no further info about why it is forbidden in the Nexus logs and this open GitHub bug tells me that the above error text is leading in the wrong direction in most of the cases?!

Any idea of how to proceed to make publishing work?!


Update 1: I just saw that I have the same problem when I try to publish it manually! So Jenkins is out of the equation for simplicity reasons.

Update 2: I can do npm adduser --registry... and npm tells me

Logged in as <my-user> on https://<my-private-registry>/repository/npm-private/.

When I do npm whoami --registry... it displays the correct user name.

When I do npm publish --registry... in the project, it shows the 403 Error


Solution

  • How to debug this:

    As you can see by all the answers, there are a lot of things that result in the same failure message. Here is how you can find your root cause:

    In the Nexus Repository Manager -> menu entry "Logging"
    There you can simply change the log level for each java package Nexus consists of at runtime.

    Change all LogLevels for packages including "security" or "rest" to TRACE and trigger your request again.

    In the LogViewer (also part of Nexus) you can hopefully see all the necessary information to understand the problem now.


    In my case, I had to add the nx-repository-view-*-*-edit privilege to the role I had created for the user that Jenkins uses to login to Nexus. I thought nx-repository-view-*-*-add is enough to publish.

    Hope it helps!