JFrog CLI allows NPM Packages to be published in Artifactory which NPM Client doesn't support

[sanjayc-jfrog]

Describe the bug

When we publish a npm package which is already present in Artifactory using Jfrog CLI, The CLI allows to publish the same package which has same name and versioning but when we do the same with NPM client it will not allow to publish the package with same name and version and returns 403.

Current behavior

jf npm publish allows packages to be published in Artifactory which NPM Client does not support which cause discrepancy to Customers. Ideally when we publish a package with same name and version in Artifactory using npm publish the NPM client will give a 403 error but when we publish a package with same name and version in Artifactory using 'jf npm publish' which allows package to be published in Artifactory.

Reproduction steps

1. Create a local npm repository in an Artifactory instance.
2. Configure Artifactory instance with the Jfrog CLI using jf c add command.
3. Then Configure npm client with Jfrog CLI using jf npm-config command.
4. Then publish a sample package like below(2026.0.1+1000 & 2026.0.1+1001) using the jf npm publish command.

Below is the package.json file. { "name": "@testproject/test", "version": "2026.0.1+1000", "description": "sample project", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "sample", "license": "ISC" }

Expected behavior

Jfrog CLI should return a 403 response when we try to publish a package which is already exist with same name and version.

JFrog CLI version

2.46

Operating system type and version

Arm64/linux

JFrog Artifactory version

NA

JFrog Xray version

No response

[biolauri]

For me, this is also clearly a bug but I found a Help Center article on this topic mentioning the JFrog CLI publishing as a workaround. This seems to be very weird to me.

I'd be really glad to have at least an option to enable the default npm publish behaviour, like jf npm publish --fail-if-exists.