With Artifactory, when you attempt to overwrite an npm package or publish a package with the same name and version as an existing package in your Artifactory, you will receive a 403 Forbidden error, like the one shown below:
Artifactory follows the npm specifications as stated on the npm website. It performs the verification to check if there is already a package with the same name and version in the target registry. When you execute the command, you can observe in the artifactory-request.log that the beginning of the request's endpoint starts with "/api/npm/," indicating the location within Artifactory's resources. At this point, Artifactory verifies if a package with the same name and version already exists in the registry. If it does, Artifactory returns a 403 forbidden error.
2023-06-29T10:37:00.438Z|815e559870f20dce||admin|PUT|/api/npm/davidfa-npm/test1|403|1363|0|15|npm/9.6.6 node/v20.2.0 darwin arm64 workspaces/false
However, it is possible to use JFrog CLI to workaround this issue. When using JFrog CLI (with the following command: jf npm publish), the endpoint used is different. It uploads the file in a generic manner without considering individual requirements. It only verifies the user's permissions and uploads the package without performing any additional checks. Below, you can see the different endpoint in the request log when executing the command with JFrog CLI.
2023-06-29T09:37:52.981Z|6aa31be87b775b93||admin|PUT|/davidfa-npm-local/test1/-/test1-1.0.0.tgz|201|312|0|105|jfrog-cli-go/2.32.0