Skip to content

node-npm-install

optum's artifactory blocks packages that are younger than 5 days old, but also blocks critical and high packages or packages that have supply chain attacks, this skill gives techniques to help resolve npm installs

IDE:
claude
codex
vscode
Version:
0.0.0

npm install instructions

Optum blocks packages that are not at least 5 days old. Critical and High CVE severity packages are blocked as well. When you encounter npm installation errors due to package curation policies, follow this systematic approach:

Step 1: Identify Blocked Packages

When npm fails with 403 errors, look for messages like:

npm notice package <package-name>:<version> download was blocked by jfrog packages curation service due to the following policies violated {DelayNPM,NewNPM,Package version is X days old,Use an older version or wait until this version is no longer immature}

Step 2: Find Compatible Versions

For each blocked package, use npm view <package-name> time to list all published versions and their dates:

npm view <package-name> time
npm view <package-name> time | tail -20  # For recent versions
npm view <package-name> time | grep "2025-09"  # For specific timeframe

Key Strategy: Always attempt to use the latest version that is older than 5 days from the current date.

Step 3: Pin Compatible Versions

Add package overrides to your package.json to force npm to use the specific, older versions:

{
  "name": "your-project",
  "dependencies": { ... },
  "devDependencies": { ... },
  "overrides": {
    "<blocked-package-1>": "<compatible-version-1>",
    "<blocked-package-2>": "<compatible-version-2>",
    "<blocked-package-3>": "<compatible-version-3>"
  }
}

Example from real scenarios:

"overrides": {
  "rollup": "4.50.0",
  "electron-to-chromium": "1.5.200", 
  "caniuse-lite": "1.0.30001740",
  "baseline-browser-mapping": "2.8.5",
  "react-day-picker": "9.0.9",
  "@types/react": "18.2.9",
  "@types/react-dom": "18.2.9"
}

Step 4: Handle Dependency Conflicts

If you encounter override conflicts (e.g., EOVERRIDE errors), consider:

  1. Downgrade main dependencies to compatible versions:

    "dependencies": {
      "react": "^18.2.0",        // Instead of "^19.x.x"
      "react-dom": "^18.2.0"     // Instead of "^19.x.x"
    }
    
  2. Adjust devDependencies to match:

    "devDependencies": {
      "@types/react": "18.2.9",      // Pin exact version
      "@types/react-dom": "18.2.9",  // Pin exact version
      "@vitejs/plugin-react": "^4.3.0",  // Downgrade from 5.x
      "vite": "^5.4.0"                    // Downgrade from 7.x
    }
    

Step 5: Install with Overrides

Run npm install again. The overrides ensure npm uses only the allowed versions:

npm install

Repeat as necessary: You may encounter additional blocked packages during dependency resolution. Repeat steps 2-4 for each new blocked package until you achieve a working combination.

Step 6: Verify Installation Success

  • Check for successful package installation without 403 errors
  • Verify your application builds and runs correctly
  • Test key functionality to ensure compatibility with downgraded packages

Common Package Categories That May Require Overrides:

  • Build tools: rollup, vite, @vitejs/plugin-react
  • Browser compatibility: electron-to-chromium, caniuse-lite, baseline-browser-mapping
  • React ecosystem: @types/react, @types/react-dom, react-day-picker
  • Development tools: Various dev dependencies may trigger blocks

Pro Tips:

  1. Work incrementally: Install base dependencies first, then add additional packages
  2. Use specific versions: Pin exact versions in overrides rather than ranges
  3. Check dates carefully: Ensure the version you choose is actually older than 5 days
  4. Document your overrides: Keep track of why specific versions were chosen for future reference