jfrog
JFrog CLI allows NPM Packages to be published in Artifactory which NPM Client doesn't support
Describe the bug
When we publish a npm package which is already present in Artifactory using Jfrog CLI, The CLI allows to publish the same package which has same name and versioning but when we do the same with NPM client it will not allow to publish the package with same name and version and returns 403.
Current behavior
jf npm publish allows packages to be published in Artifactory which NPM Client does not support which cause discrepancy to Customers. Ideally when we publish a package with same name and version in Artifactory using npm publish the NPM client will give a 403 error but when we publish a package with same name and version in Artifactory using 'jf npm publish' which allows package to be published in Artifactory.
Reproduction steps
- Create a local npm repository in an Artifactory instance.
- Configure Artifactory instance with the Jfrog CLI using
jf c addcommand. - Then Configure npm client with Jfrog CLI using
jf npm-configcommand. - Then publish a sample package like below(2026.0.1+1000 & 2026.0.1+1001) using the
jf npm publishcommand.
Below is the package.json file. { "name": "@testproject/test", "version": "2026.0.1+1000", "description": "sample project", "main": "index.js", "scripts": { "test": "echo "Error: no test specified" && exit 1" }, "author": "sample", "license": "ISC" }
Expected behavior
Jfrog CLI should return a 403 response when we try to publish a package which is already exist with same name and version.
JFrog CLI version
2.46
Operating system type and version
Arm64/linux
JFrog Artifactory version
NA
JFrog Xray version
No response
For me, this is also clearly a bug but I found a Help Center article on this topic mentioning the JFrog CLI publishing as a workaround. This seems to be very weird to me.
I'd be really glad to have at least an option to enable the default npm publish behaviour, like jf npm publish --fail-if-exists.
