Nexus npm "403 Forbidden" (not allowed to publish) in CI
A 403 on npm publish means the credential is valid but the account cannot write to that npm repository. Nexus needs the add/edit privileges for the hosted npm repo on the publishing role.
What this error means
npm publish authenticates but fails with "npm ERR! code E403" and "403 Forbidden - PUT https://nexus.example.com/repository/npm-hosted/...", while reads may still work.
npm ERR! code E403
npm ERR! 403 Forbidden - PUT
https://nexus.example.com/repository/npm-hosted/@acme%2fapp - forbiddenCommon causes
The role lacks npm repo add/edit privileges
The publishing account can read but not write; Nexus returns 403 until the role holds nx-repository-view-npm-<repo>-add and -edit.
Publishing to a group or proxy npm repo
A group/proxy npm repo is read-only; some Nexus versions surface this as 403/forbidden on the write attempt.
How to fix it
Grant write privileges and target hosted
- Add npm add/edit privileges for the hosted npm repo to the CI role.
- Point the .npmrc registry at the hosted npm repo, not the group.
- Re-run npm publish.
# Privileges for the CI role
nx-repository-view-npm-npm-hosted-add
nx-repository-view-npm-npm-hosted-editConfirm the registry is hosted
Ensure the .npmrc registry URL ends in the hosted repo (npm-hosted), since group/proxy repos reject writes.
registry=https://nexus.example.com/repository/npm-hosted/How to prevent it
- Give the CI npm role explicit add/edit on the hosted repo.
- Publish only to hosted npm repositories.
- Keep publish and read tokens least-privilege.