semantic-release npm publish 403 Forbidden in CI
The @semantic-release/npm plugin ran npm publish and the registry returned 403. Unlike ENPMTOKEN, the token is valid; the registry refuses this specific publish because of ownership, scope access, or an attempt to overwrite an existing version.
What this error means
The "Publish" step fails with "npm ERR! code E403" and "403 Forbidden - PUT https://registry.npmjs.org/<pkg>" during the semantic-release run.
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://registry.npmjs.org/@scope%2fpkg - You do not have
permission to publish "@scope/pkg". Are you logged in as the correct user?Common causes
The token principal does not own or maintain the package
A 403 on PUT means authentication worked but the account is not an owner or member of the org that controls the package name.
A first publish of a scoped package defaults to private
Publishing a scoped package without --access public on a free plan is rejected as forbidden.
How to fix it
Publish scoped packages with public access
Set public access in publishConfig so the first publish is not treated as a private publish.
{
"publishConfig": { "access": "public" }
}Grant the token principal publish rights
- Confirm which npm user or org the automation token belongs to.
- Add that principal as a maintainer of the package or org team.
- Re-run the release once ownership is in place.
How to prevent it
- Set publishConfig.access:public for scoped public packages.
- Ensure the automation token account maintains the package.
- Let semantic-release compute the version so you never re-publish an existing one.