When attempting to push a NuGet package to an Artifactory Local NuGet repository using the 'api/nuget' path, users may encounter 403 responses when trying to overwrite an existing package with a simple versioning scheme (e.g., 1.0.0). This response is expected, as it indicates a lack of Delete/Overwrite permissions.
But here's where it gets interesting: if your package version contains a dash followed by some text (like '1.0.0-pre' or '1.0.0-test'), the upload goes through smoothly, even if there's already a package with the same name. This means the package pre-release version with the dash can overwrite the existing one without any extra permissions.
Why does Artifactory allow this?
It's all about balancing security and convenience. JFrog’s Artifactory understands that customers are cautious about granting Delete/Overwrite permissions to developers for NuGet repositories, especially when handling release artifacts. Nobody wants to accidentally delete or mess up vital packages.
To address this concern, a cleaver solution was implemented back in 2015 (RTFACT-7636) to handle scenarios when a Nuget package in a pre-release version used a dash in versioning.
As NuGet repositories don’t have a clean-up policy for pre-release artifacts, allowing dashes in pre-release versions helps Artifactory distinguish them from standard releases and enables better management of pre-release artifacts without the need for explicit cleanup policies.
In summary, the behavior during the deployment of NuGet pre-release versions in Artifactory, where overwriting is permitted without requiring Delete/Overwrite permissions, is a deliberate design choice aimed at facilitating smoother repository management while addressing user concerns about accidental package deletion or overwriting.