Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Forbidden 403 errors on specific package versions #1294

Closed
dindurthy opened this issue May 14, 2020 · 6 comments
Closed

[BUG] Forbidden 403 errors on specific package versions #1294

dindurthy opened this issue May 14, 2020 · 6 comments
Labels
Bug thing that needs fixing

Comments

@dindurthy
Copy link

What / Why

We have been seeing Forbidden 403 errors on specific versions of several private packages. The problem versions appear to have successfully published, but we can't npm install them.

When

I was able to reproduce a package version that works and a package version that errors, but I have no idea how to do so reproducibly. As far as I can tell, I published both package versions exactly the same way. We've only seen this with pre-release versions -- just an observation.

Where

One affected package is @redoxengine/rid

Here are npm views for the version that works and the version that doesn't. Same .npmrc file is used for both. It's the same package, just different versions, so I don't think scope would come into play. I ran npm cache clean --force before this:

# Package version that encounters an error:
$ npm install @redoxengine/[email protected]
npm ERR! code E403
npm ERR! 403 403 Forbidden - GET https://registry.npmjs.org/@redoxengine/rid/-/rid-0.0.7-rid-test.0.tgz
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/dindurthy/.npm/_logs/2020-05-11T17_53_22_926Z-debug.log

$ npm view @redoxengine/[email protected]

@redoxengine/[email protected] | UNLICENSED | deps: 19 | versions: 57
Shared R^ID Logic
https://github.com/100health/redox-services/libraries/rid/

dist
.tarball: https://registry.npmjs.org/@redoxengine/rid/-/rid-0.0.7-rid-test.0.tgz
.shasum: 732d778708f56aad888f8b1aa3b0c588236b1e68
.integrity: sha512-TGkYW32ye2A2WxxhCdlWxehTaJhiJX+eMiGxZO2WHOv+2eggtkbUBOG/ZmLRqra6qAbS5DWeWB6hvLgdvyqJ2A==
.unpackedSize: 1.1 MB

dependencies:
@redoxengine/claims-validation: ^8.0.210              fp-ts: ^2.5.3
@redoxengine/dc-kafka-client: ^8.0.224                graphile-worker: ^0.4.0
@redoxengine/express-request-authentication: ^8.0.301 io-ts: ^2.1.2
@redoxengine/express-request-authorization: ^8.0.301  kafkajs: ^1.12.0
@redoxengine/express-request-logger: 0.0.16           knex: ^0.20.8
@redoxengine/reaper: ^1.1.2                           luxon: ^1.22.0
@redoxengine/structured-logger: ^8.0.283              objection: ^2.1.2
axios: ^0.19.2                                        pg: ^7.18.1
csv-parse: ^4.8.7                                     uuid: ^3.4.0
express: ^4.17.1

maintainers:
***


dist-tags:
canary: 0.0.8-rid53.0  latest: 0.0.14

published a week ago by redox-cicd
# Package version that works
$ npm install @redoxengine/[email protected]
npm WARN deprecated @types/[email protected]: This is a stub types definition. chokidar provides its own type definitions, so you do not need this installed.
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN [email protected] No license field.

+ @redoxengine/[email protected]
added 284 packages from 266 contributors, removed 108 packages, updated 23 packages, moved 6 packages and audited 3249 packages in 22.581s

3 packages are looking for funding
  run `npm fund` for details

found 60 vulnerabilities (33 low, 3 moderate, 24 high)
  run `npm audit fix` to fix them, or `npm audit` for details

$ npm view @redoxengine/[email protected]

@redoxengine/[email protected] | UNLICENSED | deps: 19 | versions: 57
Shared R^ID Logic
https://github.com/100health/redox-services/libraries/rid/

dist
.tarball: https://registry.npmjs.org/@redoxengine/rid/-/rid-0.0.7-cicd-testing.0.tgz
.shasum: ded07976eecce69a44c81032bad7a11384820d9d
.integrity: sha512-BNXkHKteWbUFtpK63Rp14c1LwV/w1trrOfk0fYaR12ziW1PdnzfoVFMZz6+9FNZO6ceCKgvKh1/D5H95bC9dBA==
.unpackedSize: 1.1 MB

dependencies:
@redoxengine/claims-validation: ^8.0.210              fp-ts: ^2.5.3
@redoxengine/dc-kafka-client: ^8.0.224                graphile-worker: ^0.4.0
@redoxengine/express-request-authentication: ^8.0.301 io-ts: ^2.1.2
@redoxengine/express-request-authorization: ^8.0.301  kafkajs: ^1.12.0
@redoxengine/express-request-logger: 0.0.16           knex: ^0.20.8
@redoxengine/reaper: ^1.1.2                           luxon: ^1.22.0
@redoxengine/structured-logger: ^8.0.283              objection: ^2.1.2
axios: ^0.19.2                                        pg: ^7.18.1
csv-parse: ^4.8.7                                     uuid: ^3.4.0
express: ^4.17.1

maintainers:
***

dist-tags:
canary: 0.0.8-rid53.0  latest: 0.0.14

published a week ago by redox-cicd
dindurthy:~/RedoxDev/redox-services/services/cicd-test $ cat .npmrc
//registry.npmjs.org/:_authToken=***

How

Current Behavior

Some versions of @redoxengine/rid encounter 403 errors when installing.

Steps to Reproduce

npm version prerelease --preid "some-prerelease-id"
npm publish --tag canary
npm install @redoxengine/rid@<new published version>

Except this only sometimes results in 403s.

Expected Behavior

npm install installs the prerelease version successfully.

@erango
Copy link

erango commented Jun 1, 2020

We are experiencing this as well, did you ever find a solution to this?
When releasing the same (private, scoped) package -- as a pre-release it is published correctly but when trying to install it we get a 403. When published as a normal release, it works fine.

@dindurthy
Copy link
Author

@erango Nope, it's a bug completely obscure to me. It's not in the client -- pretty sure it's a server issue, so there's nothing for me to look at. But it's intermittent enough that our devs just re-publish until it works. It did seem to only affect pre-release versions.

@erango
Copy link

erango commented Jul 14, 2020

@dindurthy for me it was 100% of the time for certain packages, and never for other (older) packages. I just gave up and tested locally then went on to a normal release 🤷

@darcyclarke darcyclarke added the Bug thing that needs fixing label Oct 30, 2020
@jtama
Copy link

jtama commented Feb 24, 2021

Any news on this ? We are experimenting it 100% of the tries... Does a republish solves it ?

@erango
Copy link

erango commented Feb 25, 2021

It didn't for me. I just stopped using pre-releases for the affected packages.

@darcyclarke
Copy link
Contributor

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is reproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing
Projects
None yet
Development

No branches or pull requests

4 participants