Verdaccio "403 ... not allowed to publish" in CI
Verdaccio authenticated the user but its packages access rules do not grant that user publish rights for the package pattern. 403 is an authorization decision, not a credential failure.
What this error means
npm publish to a Verdaccio registry fails with "npm error code E403" and "you are not allowed to publish" for the package.
npm
npm error code E403
npm error 403 Forbidden - PUT https://verdaccio.internal.example.com/@acme%2fwidgets
npm error 403 user acme-ci is not allowed to publish package @acme/widgetsCommon causes
The packages rule does not grant publish
The Verdaccio config.yaml packages: block lists which groups can publish a pattern; the CI user is not in an allowed group for that package.
Publishing to an upstream-proxied pattern
A pattern configured with a proxy: and no local publish permission rejects publishes to keep proxied names read-only.
How to fix it
Grant publish in packages access rules
- Edit Verdaccio
config.yamland find thepackages:pattern for the scope. - Add the CI user or group to the
publish(andunpublish) list. - Restart Verdaccio and re-run the publish.
config.yaml
packages:
'@acme/*':
access: $authenticated
publish: $authenticated
unpublish: $authenticatedPublish to a local pattern, not a proxied one
Ensure the scope pattern used for publishing has no proxy: so Verdaccio stores it locally.
How to prevent it
- Define explicit publish groups for internal scope patterns.
- Keep proxied patterns read-only and publish to local scopes.
- Use a dedicated CI user in an allowed publish group.
Related guides
npm "E401 ... no auth token" for a private registry in CIFix npm "E401 Unauthorized ... no auth token" against a private registry in CI - .npmrc has no _authToken lin…
Artifactory "403 Forbidden" deploy permission in CIFix Artifactory "403 Forbidden" when deploying an artifact in CI - the token authenticated but the user lacks…
GitHub Packages "permission_denied: write_package" in CIFix GitHub Packages "permission_denied: write_package" in CI - the GITHUB_TOKEN job lacks packages: write, or…