Skip to content
Latchkey

Nexus npm "403 Forbidden" (not allowed to publish) in CI

A 403 on npm publish means the credential is valid but the account cannot write to that npm repository. Nexus needs the add/edit privileges for the hosted npm repo on the publishing role.

What this error means

npm publish authenticates but fails with "npm ERR! code E403" and "403 Forbidden - PUT https://nexus.example.com/repository/npm-hosted/...", while reads may still work.

npm
npm ERR! code E403
npm ERR! 403 Forbidden - PUT
https://nexus.example.com/repository/npm-hosted/@acme%2fapp - forbidden

Common causes

The role lacks npm repo add/edit privileges

The publishing account can read but not write; Nexus returns 403 until the role holds nx-repository-view-npm-<repo>-add and -edit.

Publishing to a group or proxy npm repo

A group/proxy npm repo is read-only; some Nexus versions surface this as 403/forbidden on the write attempt.

How to fix it

Grant write privileges and target hosted

  1. Add npm add/edit privileges for the hosted npm repo to the CI role.
  2. Point the .npmrc registry at the hosted npm repo, not the group.
  3. Re-run npm publish.
Nexus privileges
# Privileges for the CI role
nx-repository-view-npm-npm-hosted-add
nx-repository-view-npm-npm-hosted-edit

Confirm the registry is hosted

Ensure the .npmrc registry URL ends in the hosted repo (npm-hosted), since group/proxy repos reject writes.

.npmrc
registry=https://nexus.example.com/repository/npm-hosted/

How to prevent it

  • Give the CI npm role explicit add/edit on the hosted repo.
  • Publish only to hosted npm repositories.
  • Keep publish and read tokens least-privilege.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →