npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

First publish with --tag makes package uninstallable

What I Wanted to Do

I’m publishing fresh new scoped packages to an internal registry (Artifactory). During development packages are published with a “dev” dist-tag:

(assume the package name is gerd, version is 1.0.0, and scope is @ermah)

npm publish --tag dev

I expect the package to be installable with

npm install @ermah/gerd@1.0.0


npm install @ermah/gerd@dev

All config (package.json, .npmrc, name of package) is done correctly, so that’s not the issue

What Happened Instead

After the very first publish ever, when trying to install the package, I instead get a 404 error stating the package doesn’t exist. However, I do see in the registry, so it does get published.

Reproduction Steps

  1. Publish a fresh new package (not in registry yet) with a dist-tag first.
  2. Try to install it.


Publishing the package again (with or without a dist-tag) seems to forcefully populate the “latest” tag. After that everything starts working correctly.

So it seems that until there’s something in the “latest” tag the package is not considered registered.

Am I missing something or is this the intended behaviour? The idea is that I don’t want to publish the package to latest until it’s fully developed. But I do want to use another dist tag internally for testing.

Platform Info

$ npm --versions
{ npm: '6.4.0',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.32.0',
  node: '10.9.0',
  openssl: '1.1.0i',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.22.0',
  v8: '',
  zlib: '1.2.11' }

$ node -p process.platform

Can you reproduce this against the main npm registry? I’m pretty sure we create a latest tag by default, regardless. If not, that’s a bug in the registry.

This smells to me like an artifactory bug, regardless of what the main registry does, though. latest is expected to exist.

zkat, I don’t have a paid account so I can’t try private/scoped packages. I thought I could publish one for free, but I think it’s Docker that offers it. If somebody else could try it it’d be great and we could confirm that it’s, in fact, Artifactory that has a problem.

But the public publishing seems to work fine, I’ve just tried it.

This might indeed be Artifactory since somebody else would’ve noticed it already, I’m sure.

You can publish public scoped packages by doing npm publish --access=public.

Ah, thanks for that! I haven’t published much to the public registry, clearly :slight_smile:

Scoped packages work too. So it’s an Artifactory bug after all. I scanned their release notes and can’t find anything addressing this particular issue, unfortunately. Either way, thanks zcat! Case closed. :+1: