Current Behavior
When running nx release publish in CI (GitLab, OIDC auth), the npm view pre-check that's supposed to skip already-published packages doesn't work for restricted ("access": "restricted") scoped packages. Instead of skipping, nx falls through to pnpm publish which 403s with "You cannot publish over the previously published versions".
This happens because npm view for a restricted package returns a 404 when there's no auth token available for read operations (OIDC tokens only apply during npm publish --provenance, not during npm view). The executor's catch block at release-publish.impl.ts:291 sees the 404 and interprets it as "package doesn't exist yet, first-time publish" -- so it proceeds to publish, which then fails with 403 because the version already exists.
For public packages the pre-check works perfectly -- we see Skipped package "@zappar/mattercraft-transformers" because v0.3.1 already exists in the logs. But for our one restricted package (@zappar/mpm), it always tries to re-publish.
Expected Behavior
nx release publish should gracefully handle restricted packages that are already published. Either:
- The
npm view command should use whatever auth is available (OIDC or otherwise) for read operations too, or
- A 403 "already published" response from
pnpm publish should be treated as a success (the version exists, which is the desired state), or
- There should be a way to skip specific packages from the publish step without removing them from the release config entirely
GitHub Repo
No response
Steps to Reproduce
- Set up an nx monorepo with independent versioning and
createRelease: "gitlab"
- Have a mix of public and restricted (
"access": "restricted") scoped packages
- Configure OIDC auth via
id_tokens in .gitlab-ci.yml (no NODE_AUTH_TOKEN)
- Publish all packages at least once
- Make a change to only ONE package, run
nx release --skip-publish then nx release publish
- The unchanged restricted package will 403 because
npm view returns 404 (no auth for reads) and nx tries to re-publish the existing version
The public packages correctly show "Skipped ... because vX.Y.Z already exists" but restricted packages always attempt to publish.
Nx Report
nx 22.5.4
pnpm 10.32.1
node 24
Failure Logs
> nx run @scope/private-package:nx-release-publish
pnpm publish error:
403 Forbidden - PUT https://registry.npmjs.org/@scope%2fprivate-package - You cannot publish over the previously published versions: 1.3.0.
Meanwhile, public packages in the same run correctly skip:
> nx run @scope/public-package:nx-release-publish
Skipped package "@scope/public-package" because v0.3.1 already exists in https://registry.npmjs.org/ with tag "latest"
Package Manager Version
pnpm 10.32.1
Operating System
Additional Information
We worked around this by changing all packages except the problematic one to "access": "public" and running npm access set status=public on the registry. But that's not viable for packages that genuinely need to stay restricted.
Current Behavior
When running
nx release publishin CI (GitLab, OIDC auth), thenpm viewpre-check that's supposed to skip already-published packages doesn't work for restricted ("access": "restricted") scoped packages. Instead of skipping, nx falls through topnpm publishwhich 403s with "You cannot publish over the previously published versions".This happens because
npm viewfor a restricted package returns a 404 when there's no auth token available for read operations (OIDC tokens only apply duringnpm publish --provenance, not duringnpm view). The executor's catch block atrelease-publish.impl.ts:291sees the 404 and interprets it as "package doesn't exist yet, first-time publish" -- so it proceeds to publish, which then fails with 403 because the version already exists.For public packages the pre-check works perfectly -- we see
Skipped package "@zappar/mattercraft-transformers" because v0.3.1 already existsin the logs. But for our one restricted package (@zappar/mpm), it always tries to re-publish.Expected Behavior
nx release publishshould gracefully handle restricted packages that are already published. Either:npm viewcommand should use whatever auth is available (OIDC or otherwise) for read operations too, orpnpm publishshould be treated as a success (the version exists, which is the desired state), orGitHub Repo
No response
Steps to Reproduce
createRelease: "gitlab""access": "restricted") scoped packagesid_tokensin.gitlab-ci.yml(noNODE_AUTH_TOKEN)nx release --skip-publishthennx release publishnpm viewreturns 404 (no auth for reads) and nx tries to re-publish the existing versionThe public packages correctly show "Skipped ... because vX.Y.Z already exists" but restricted packages always attempt to publish.
Nx Report
Failure Logs
Package Manager Version
pnpm 10.32.1
Operating System
Additional Information
We worked around this by changing all packages except the problematic one to
"access": "public"and runningnpm access set status=publicon the registry. But that's not viable for packages that genuinely need to stay restricted.