Gitlab NPM Registry reports "Package already exists." on publish, but it does not exist!

Summary

When trying to publish packages to the Gitlab NPM registry, a 403 (Package already exists.) gets returned, even though the version of that package is not to be found in:

the web UI (Package Registry of the Project)
the Gitlab API e.g.: https://gitlab.com/api/v4/projects/MY_PROJECT_ID/packages/npm/@myscope%2fmypackagename)
npm view @myscope/mypackagename versions --json.

Note: the version has previously existed but has been unpublished/deleted via API call.

We do this regularly in our CI workflow. The first time our pipeline encountered this issue was Feb 2, 2022 7:27am AST

If required I will provide a demo project. Due to time constraints I am not able to do this right now - but the issue is kind of urgent...

Steps to reproduce

publish a package to Gitlab registry (in our case version 1.81.0) with npm publish - correct behavior
package version exists with correct version (in our case version 1.81.0) in Web UI, API and listed by npm view @myscope/mypackagename versions --json - correct behavior
delete package via API (since the Gitlab registry SADLY does not support npm unpublish) - DELETE https://gitlab.com/api/v4/projects/MY_PROJECT_ID/packages/PACKAGE_ID - correct behavior
package version DOES NOT get listed anymore (in our case version 1.81.0) in Web UI, API and npm view @myscope/mypackagename versions --json - correct behavior
publish same package to Gitlab registry with same version as previously deleted version (in our case version 1.81.0) npm publish - INCORRECT BEHAVIOR

What is the current bug behavior?

Deleted npm package versions CAN NOT be re-published with same version numbers as npm reports that the Package already exists..

What is the expected correct behavior?

Deleted npm package versions CAN be re-published with same version numbers.

Relevant logs and/or screenshots

Web UI after package deletion (in our case version 1.81.0):

Output of npm view @myscope/mypackagename versions --json after package deletion (in our case version 1.81.0):

[
  ...,
  "1.79.0",
  "1.79.1",
  "1.79.2",
  "1.80.0",
  "1.80.1",
  "1.80.2",
  "1.80.3",
  "1.80.4",
  "1.80.5",
  "1.80.6",
  "1.80.7",
  "1.80.8"
]

Result trying to publish previously deleted version (in our case version 1.81.0):

HttpErrorGeneral: 403 Forbidden - PUT https://gitlab.com/api/v4/projects/MY_PROJECT_ID/packages/npm/@myscope%2mypackagename
    at /Users/iamaflippinlegend/.nvm/versions/node/v16.13.0/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:95:15
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async publish (/Users/iamaflippinlegend/.nvm/versions/node/v16.13.0/lib/node_modules/npm/node_modules/libnpmpublish/publish.js:43:12)
    at async Publish.publish (/Users/iamaflippinlegend/.nvm/versions/node/v16.13.0/lib/node_modules/npm/lib/publish.js:128:7) {
  headers: [Object: null prototype] {
    date: [ 'Wed, 02 Feb 2022 16:38:23 GMT' ],
    'content-type': [ 'application/json' ],
    'content-length': [ '37' ],
    connection: [ 'keep-alive' ],
    'cache-control': [ 'no-cache' ],
    vary: [ 'Origin' ],
    'x-content-type-options': [ 'nosniff' ],
    'x-frame-options': [ 'SAMEORIGIN' ],
    'x-request-id': [ '01FTXMTAD0P3J5H2QBBTX7Q704' ],
    'x-runtime': [ '0.046645' ],
    'strict-transport-security': [ 'max-age=31536000' ],
    'referrer-policy': [ 'strict-origin-when-cross-origin' ],
    'ratelimit-observed': [ '2' ],
    'ratelimit-remaining': [ '1998' ],
    'ratelimit-reset': [ '1643819963' ],
    'ratelimit-resettime': [ 'Wed, 02 Feb 2022 16:39:23 GMT' ],
    'ratelimit-limit': [ '2000' ],
    'gitlab-lb': [ 'fe-13-lb-gprd' ],
    'gitlab-sv': [ 'localhost' ],
    'cf-cache-status': [ 'DYNAMIC' ],
    'expect-ct': [
      'max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"'
    ],
    'report-to': [
      '{"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=Bbk0ZTayTJVH60VJZK1IFeBQ%2BpqDpUr6rhDGazryEpVOc5bpb%2B0XycTC5U%2Fu%2BgVJmvIuNDK78WiiI21dFjL2AmyuG%2BNGYRzbP6mePYfAzP601y99bcHx4dlbGNc%3D"}],"group":"cf-nel","max_age":604800}'
    ],
    nel: [
      '{"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}'
    ],
    server: [ 'cloudflare' ],
    'cf-ray': [ '6d74d97acb718df0-MIA' ],
    'x-fetch-attempts': [ '1' ]
  },
  statusCode: 403,
  code: 'E403',
  method: 'PUT',
  uri: 'https://gitlab.com/api/v4/projects/MY_PROJECT_ID/packages/npm/@myscope%2mypackagename',
  body: { message: 'Package already exists.' },
  pkgid: '@myscope/mypackagename@1.81.0'
}
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://gitlab.com/api/v4/projects/MY_PROJECT_ID/packages/npm/@myscope%2mypackagename
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.

Output of checks

This bug happens on GitLab.com

Workarounds

Bump manually to higher version every time this bug occurs - which messes up automated version management (by e.g. lerna)

Edited Feb 02, 2022 by Julian Kaminski