Skip to content
Latchkey

Verdaccio "403 ... not allowed to publish" in CI

Verdaccio authenticated the user but its packages access rules do not grant that user publish rights for the package pattern. 403 is an authorization decision, not a credential failure.

What this error means

npm publish to a Verdaccio registry fails with "npm error code E403" and "you are not allowed to publish" for the package.

npm
npm error code E403
npm error 403 Forbidden - PUT https://verdaccio.internal.example.com/@acme%2fwidgets
npm error 403 user acme-ci is not allowed to publish package @acme/widgets

Common causes

The packages rule does not grant publish

The Verdaccio config.yaml packages: block lists which groups can publish a pattern; the CI user is not in an allowed group for that package.

Publishing to an upstream-proxied pattern

A pattern configured with a proxy: and no local publish permission rejects publishes to keep proxied names read-only.

How to fix it

Grant publish in packages access rules

  1. Edit Verdaccio config.yaml and find the packages: pattern for the scope.
  2. Add the CI user or group to the publish (and unpublish) list.
  3. Restart Verdaccio and re-run the publish.
config.yaml
packages:
  '@acme/*':
    access: $authenticated
    publish: $authenticated
    unpublish: $authenticated

Publish to a local pattern, not a proxied one

Ensure the scope pattern used for publishing has no proxy: so Verdaccio stores it locally.

How to prevent it

  • Define explicit publish groups for internal scope patterns.
  • Keep proxied patterns read-only and publish to local scopes.
  • Use a dedicated CI user in an allowed publish group.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →