Nexus npm "403 ... not allowed to PUT" on publish in CI
Nexus authenticated the npm publish (so it is not a 401) but the user's role has no add/edit privilege on the npm hosted repository. 403 is an authorization decision; add the write privilege.
What this error means
npm publish to a Nexus npm hosted registry fails with "npm error code E403" and "403 Forbidden - PUT https://nexus.example.com/repository/npm-hosted/@acme%2fwidgets".
npm error code E403
npm error 403 Forbidden - PUT https://nexus.example.com/repository/npm-hosted/@acme%2fwidgets
npm error 403 In most cases, you or one of your dependencies are requesting a package version that is forbidden by your security policy, or on a server you do not have access to.Common causes
The role lacks add/edit privilege on the repo
The Nexus user's role has read (browse/read) but not the nx-repository-view-npm-<repo>-add/edit privilege, so PUT is forbidden.
Publishing to a proxy or group instead of hosted
npm publish must target a hosted repo; pointing it at a proxy or group repo yields 403 because those are not writable.
How to fix it
Grant the add/edit privilege and target the hosted repo
- In Nexus, give the CI user's role the add and edit privileges for the npm hosted repo.
- Point the publish
.npmrcregistry at the hosted repo, not a group or proxy. - Re-run the publish.
registry=https://nexus.example.com/repository/npm-hosted/
//nexus.example.com/repository/npm-hosted/:_authToken=${NPM_TOKEN}Confirm the repo is writable
Only hosted repositories accept publishes; verify the target is a hosted npm repo in Nexus.
How to prevent it
- Grant CI roles explicit add/edit privileges on hosted repos.
- Publish to hosted repos, never to group or proxy repos.
- Keep a dedicated CI role with least-privilege write access.