Npm ci = 403 403 Forbidden

I have a dotnet (v3.1) and angular (v11) project I am trying to implement CI/CD with.

I am using two private npm registries (alone, no I verified the auth tokens are being correctly interpreted from the environment variables in the ./.npmrc file.

Running npm ci locally completes without issue.

When the pipeline job completes in, it fails with an error 403.

However, if I remove that one problematic package from package.json (obviously breaking the build/app otherwise, but to troubleshoot and isolate the problem) the other packages are pulled from the other private registry without issue (fortawesome).

Given that the issue only happens in the GitLab .com job and not locally, it seems impossible that it is an issue with the problematic registry/package or the associated token.

  • What are you seeing, and how does that differ from what you expect to see?

Results in error, expect it to complete successfully.

  • Consider including screenshots, error messages, and/or other helpful visuals
$ npm ci
npm ERR! code E403
npm ERR! 403 403 Forbidden - GET [problematic registry url and package]
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy.
npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2021-11-27T01_00_13_546Z-debug.log
  • What version are you on? Are you using self-managed or

GitLab .com

  • Add the CI configuration from .gitlab-ci.yml and other configuration if relevant (e.g. docker-compose.yml)

  • What troubleshooting steps have you already taken? Can you link to any docs or other resources so we know where you have been?

Searching hasnt returned anything useful yet. There is this SO post (which didn’t have anything helpful).

This other SO post mentions much the same (NPM registration email, which I cant imagine applies here), disconnecting from VPN (which seemed impossible to be related to GitLab .com in this case, but I tried it disconnected from VPN too). It does mention package names that are public can be problematic (and the problematic registry has mirrors of many packages for this project which are available on npmjs)… however, that doesnt explain why it works locally.

Gitlab scenario is using nvm to install/use Node

Online - Node: v14.16.1, and NPM: v6.14.12
Locally - Node: v16.4.0, and NPM: v7.18.1.

Thanks for taking the time to be thorough in your request, it really helps! :blush:

Greatly appreciate any help! :blush: