Skip to content
Latchkey

Nexus npm "403 ... not allowed to PUT" on publish in CI

Nexus authenticated the npm publish (so it is not a 401) but the user's role has no add/edit privilege on the npm hosted repository. 403 is an authorization decision; add the write privilege.

What this error means

npm publish to a Nexus npm hosted registry fails with "npm error code E403" and "403 Forbidden - PUT https://nexus.example.com/repository/npm-hosted/@acme%2fwidgets".

npm
npm error code E403
npm error 403 Forbidden - PUT https://nexus.example.com/repository/npm-hosted/@acme%2fwidgets
npm error 403 In most cases, you or one of your dependencies are requesting a package version that is forbidden by your security policy, or on a server you do not have access to.

Common causes

The role lacks add/edit privilege on the repo

The Nexus user's role has read (browse/read) but not the nx-repository-view-npm-<repo>-add/edit privilege, so PUT is forbidden.

Publishing to a proxy or group instead of hosted

npm publish must target a hosted repo; pointing it at a proxy or group repo yields 403 because those are not writable.

How to fix it

Grant the add/edit privilege and target the hosted repo

  1. In Nexus, give the CI user's role the add and edit privileges for the npm hosted repo.
  2. Point the publish .npmrc registry at the hosted repo, not a group or proxy.
  3. Re-run the publish.
.npmrc
registry=https://nexus.example.com/repository/npm-hosted/
//nexus.example.com/repository/npm-hosted/:_authToken=${NPM_TOKEN}

Confirm the repo is writable

Only hosted repositories accept publishes; verify the target is a hosted npm repo in Nexus.

How to prevent it

  • Grant CI roles explicit add/edit privileges on hosted repos.
  • Publish to hosted repos, never to group or proxy repos.
  • Keep a dedicated CI role with least-privilege write access.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →