npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

403 errors on public packages

I have a Jenkins build that just started failing intermittently on npm ci yesterday for public packages. There’s been three failures and one successful build, all on a production node with npm 6.4.1. The failures are from 403 errors on different public packages each time, like 403 Forbidden: @types/angular-ui-bootstrap@0.13.46 and then on a re-run - 403 Forbidden: es6-promise@3.3.1. Looking at the package-lock, which npm ci is using, some dependencies are getting installed before the failures. Artifactory lists npm-remote as in npm-virtual. Any ideas on why this is happening?

The .npmrc is

_auth = [SCRUBBED]
always-auth = true

From package-lock:

    "@types/angular-ui-bootstrap": {
      "version": "0.13.46",
      "resolved": "http://[SCRUBBED]:8081/artifactory/api/npm/npm-virtual/@types/angular-ui-bootstrap/-/angular-ui-bootstrap-0.13.46.tgz",
      "integrity”: “[SCRUBBED]",
      "dev": true,
      "requires": {
        "@types/angular": "*"
    "es6-promise": {
      "version": "3.3.1",
      "resolved": “[SCRUBBED]:8081/artifactory/api/npm/npm-virtual/es6-promise/-/es6-promise-3.3.1.tgz",
      "integrity": “[SCRUBBED]",
      "dev": true

Completely removing _auth and always-auth from .npmrc worked to temporarily fix this problem, but I’d be really grateful if anyone knows the reasoning. We’ll have to add a required _auth token back soon, and the only other idea I have if it starts failing again is to change the registry link to http instead of https ( This suggestion is on other forum posts, with the vague reason of “npm doesn’t handle https well”. (And note for anyone interested in this idea: npm will redirect http to https anyway, so it’s still secure, but slows down the request.)