npm registry accepts second publish of same version

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

When publishing an npm package to the GitLab Package Registry, the second npm publish with the same name and version is accepted by the registry (publish command exits successfully), but the Package Registry UI shows "Error publishing · Package already exists."

In earlier Gitlab Versions, the second publishing resulted in error when running npm publish command.

Steps to reproduce

1. Create a project with Package Registry enabled
2. Configure .npmrc, package.json (with e.g. minimal index.js)
3. Publish the package running npm publish
4. Modify the package without changing the version
5. Publish again running npm publish
6. After the second publish, check the Gitlab UI

(also see Example Project)

Example Project

Minimal setup of example project: https://gitlab.com/TK04/npm-publish-test

What is the current bug behavior?

• The second npm publish exits successfully despite a package with the same name and version already being published
• Only in the UI, the package entry shows error "Error publishing - package already exists"

What is the expected correct behavior?

• The second npm publish command of the same name + version should be rejected by the npm registry
• The API should return a 4xx

Relevant logs and/or screenshots

Output of checks

• Output of second publish command

npm notice Publishing to https://gitlab.com/api/v4/projects/78016913/packages/npm/ with tag latest and default access
npm http fetch PUT 200 https://gitlab.com/api/v4/projects/78016913/packages/npm/@tk04%2fnpm-publish-test 1091ms
+ @tk04/npm-publish-test@1.0.

Package Registry Error

Settings for duplicate packages (in self-hosted instance):

This bug happens on GitLab.com

Results of GitLab environment info

• Gitlab Edition: Community Edition
• Gitlab Version: 18.8.0 (also tested on current gitlab.com instance v 18.9.0-pre)