Skip to content
Latchkey

GitHub Packages "404 Not Found" for a scoped package in CI

GitHub Packages returned 404 for a scoped package. npm either sent the request to the public registry (no scope mapping), or the authenticated token cannot see a private package in that org.

What this error means

npm install fails with "npm error code E404" and "npm error 404 Not Found - GET https://registry.npmjs.org/@acme%2fwidgets" (wrong host) or a 404 against npm.pkg.github.com for a private package.

npm
npm error code E404
npm error 404 Not Found - GET https://registry.npmjs.org/@acme%2fwidgets
npm error 404 '@acme/widgets@^1.0.0' is not in this registry.

Common causes

The scope is not mapped to GitHub Packages

Without @acme:registry=https://npm.pkg.github.com, npm resolves the scoped package on the public registry, where it does not exist (404).

The token cannot see the private package

A private GitHub Packages entry appears as 404 to a token without access to that repository/org, rather than as a 403.

How to fix it

Map the scope to the GitHub Packages registry

  1. Add the scope registry mapping to .npmrc.
  2. Ensure the token has read access to the org packages.
  3. Re-run so the scoped request goes to npm.pkg.github.com.
.npmrc
@acme:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}

Grant the token access to the package

For a cross-repo private package, use a PAT or a token whose repository is linked to the package with read access.

How to prevent it

  • Always map private scopes to their registry in .npmrc.
  • Link packages to the consuming repositories for access.
  • Remember a private package reads as 404 without access, not 403.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →