[BUG] E403 has a misleading message for most cases

[isaacs]

What / Why

2f3b79b contained this bit:

+    case 'E403':
+      short.push(['403', er.message])
+      msg = [
+        'In most cases, you or one of your dependencies are requesting',
+        'a package version that is forbidden by your security policy.'
+      ]
+      if (er.parent) {
+        msg.push("\nIt was specified as a dependency of '" + er.parent + "'\n")
+      }
+      detail.push(['403', msg.join('\n')])
+      break

This is only correct if the error is thrown by npm-pick-manifest, though. If you are trying to publish a package you're not allowed to, or some other random thing that can cause an actual 403 response, you get this error, which is misleading.

Suggestion

Detect errors thrown by npm-pick-manifest or by attempts to fetch a tarball that result in a 403.

For other cases, provide an error message that does not mention security policies or fetching forbidden dependencies.

[jhorbulyk]

I'm leaving this as a troubleshooting tip for others that encounter this error message for reasons unrelated to security policies:

One thing that can cause this issue to appear is by attempting to publish a scoped package where the name of the scope defined in package.json is slightly different than the name of your npm organization. E.g. Org name on npm is tech.com but package.json has "name":"@techcom/mypackage" when it should be "name":"@tech.com/mypackage"

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.