Closed
Description
What / Why
We have been seeing Forbidden 403 errors on specific versions of several private packages. The problem versions appear to have successfully published, but we can't npm install them.
When
I was able to reproduce a package version that works and a package version that errors, but I have no idea how to do so reproducibly. As far as I can tell, I published both package versions exactly the same way. We've only seen this with pre-release versions -- just an observation.
Where
One affected package is @redoxengine/rid
Here are npm views for the version that works and the version that doesn't. Same .npmrc file is used for both. It's the same package, just different versions, so I don't think scope would come into play. I ran npm cache clean --force before this:
# Package version that encounters an error:
$ npm install @redoxengine/rid@0.0.7-rid-test.0
npm ERR! code E403
npm ERR! 403 403 Forbidden - GET https://registry.npmjs.org/@redoxengine/rid/-/rid-0.0.7-rid-test.0.tgz
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy.
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/dindurthy/.npm/_logs/2020-05-11T17_53_22_926Z-debug.log
$ npm view @redoxengine/rid@0.0.7-rid-test.0
@redoxengine/rid@0.0.7-rid-test.0 | UNLICENSED | deps: 19 | versions: 57
Shared R^ID Logic
https://github.com/100health/redox-services/libraries/rid/
dist
.tarball: https://registry.npmjs.org/@redoxengine/rid/-/rid-0.0.7-rid-test.0.tgz
.shasum: 732d778708f56aad888f8b1aa3b0c588236b1e68
.integrity: sha512-TGkYW32ye2A2WxxhCdlWxehTaJhiJX+eMiGxZO2WHOv+2eggtkbUBOG/ZmLRqra6qAbS5DWeWB6hvLgdvyqJ2A==
.unpackedSize: 1.1 MB
dependencies:
@redoxengine/claims-validation: ^8.0.210 fp-ts: ^2.5.3
@redoxengine/dc-kafka-client: ^8.0.224 graphile-worker: ^0.4.0
@redoxengine/express-request-authentication: ^8.0.301 io-ts: ^2.1.2
@redoxengine/express-request-authorization: ^8.0.301 kafkajs: ^1.12.0
@redoxengine/express-request-logger: 0.0.16 knex: ^0.20.8
@redoxengine/reaper: ^1.1.2 luxon: ^1.22.0
@redoxengine/structured-logger: ^8.0.283 objection: ^2.1.2
axios: ^0.19.2 pg: ^7.18.1
csv-parse: ^4.8.7 uuid: ^3.4.0
express: ^4.17.1
maintainers:
***
dist-tags:
canary: 0.0.8-rid53.0 latest: 0.0.14
published a week ago by redox-cicd
# Package version that works
$ npm install @redoxengine/rid@0.0.7-cicd-testing.0
npm WARN deprecated @types/chokidar@2.1.3: This is a stub types definition. chokidar provides its own type definitions, so you do not need this installed.
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN cicd-test@1.0.0 No license field.
+ @redoxengine/rid@0.0.7-cicd-testing.0
added 284 packages from 266 contributors, removed 108 packages, updated 23 packages, moved 6 packages and audited 3249 packages in 22.581s
3 packages are looking for funding
run `npm fund` for details
found 60 vulnerabilities (33 low, 3 moderate, 24 high)
run `npm audit fix` to fix them, or `npm audit` for details
$ npm view @redoxengine/rid@0.0.7-cicd-testing.0
@redoxengine/rid@0.0.7-cicd-testing.0 | UNLICENSED | deps: 19 | versions: 57
Shared R^ID Logic
https://github.com/100health/redox-services/libraries/rid/
dist
.tarball: https://registry.npmjs.org/@redoxengine/rid/-/rid-0.0.7-cicd-testing.0.tgz
.shasum: ded07976eecce69a44c81032bad7a11384820d9d
.integrity: sha512-BNXkHKteWbUFtpK63Rp14c1LwV/w1trrOfk0fYaR12ziW1PdnzfoVFMZz6+9FNZO6ceCKgvKh1/D5H95bC9dBA==
.unpackedSize: 1.1 MB
dependencies:
@redoxengine/claims-validation: ^8.0.210 fp-ts: ^2.5.3
@redoxengine/dc-kafka-client: ^8.0.224 graphile-worker: ^0.4.0
@redoxengine/express-request-authentication: ^8.0.301 io-ts: ^2.1.2
@redoxengine/express-request-authorization: ^8.0.301 kafkajs: ^1.12.0
@redoxengine/express-request-logger: 0.0.16 knex: ^0.20.8
@redoxengine/reaper: ^1.1.2 luxon: ^1.22.0
@redoxengine/structured-logger: ^8.0.283 objection: ^2.1.2
axios: ^0.19.2 pg: ^7.18.1
csv-parse: ^4.8.7 uuid: ^3.4.0
express: ^4.17.1
maintainers:
***
dist-tags:
canary: 0.0.8-rid53.0 latest: 0.0.14
published a week ago by redox-cicd
dindurthy:~/RedoxDev/redox-services/services/cicd-test $ cat .npmrc
//registry.npmjs.org/:_authToken=***
How
Current Behavior
Some versions of @redoxengine/rid encounter 403 errors when installing.
Steps to Reproduce
npm version prerelease --preid "some-prerelease-id"
npm publish --tag canary
npm install @redoxengine/rid@<new published version>
Except this only sometimes results in 403s.
Expected Behavior
npm install installs the prerelease version successfully.