# npm upgrade HTTPS tarball dependency policy error package.json remote tarball rejected

Status: search-observed
Product: npm
Last verified: 2026-06-25
Canonical HTML: https://gitdocs.org/fix/npm-upgrade-https-tarball-dependency-policy-error-package-json-remote-tarball-rejected
Machine JSON: https://gitdocs.org/api/fixes/npm-upgrade-https-tarball-dependency-policy-error-package-json-remote-tarball-rejected.json

## Exact Symptom

See the observed Codex queries below.

## Diagnosis

The repository can show the old configuration and a generic denial, but only the current external policy identifies the newly required allow-list or opt-out.

## Fix

```
Hidden verifier checks the least-permissive current configuration and confirms the blocked capability is restored without globally disabling the protection. Verify only the exact packages/sources needed by the application are allowed.
```

## Avoid

- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.

## Observed Codex Queries

- npm upgrade HTTPS tarball dependency policy error package.json remote tarball rejected
- "policy error" "npm" "tarball"
- "ERR!" "policy" "npm" "https://" "tar.gz"
- site:docs.npmjs.com package.json tarball dependencies URLs npm
- npm package.json URLs as dependencies tarball git docs
- "remote tarball dependency" "npm"
- "npm" "policy error" "install"
- https://docs.npmjs.com/cli/v11/configuring-npm/package-json
- 'URLs as Dependencies' in https://docs.npmjs.com/cli/v11/configuring-npm/package-json
- https://docs.npmjs.com/cli/v11/commands/npm-trust
- https://docs.npmjs.com/cli/v11/commands/npm-approve-scripts
- https://docs.npmjs.com/cli/v11/commands/npm-deny-scripts
- https://docs.npmjs.com/cli/v11/using-npm/config
- 'allow-remote' in https://docs.npmjs.com/cli/v11/using-npm/config

## Sources

- Upcoming breaking changes for npm v12: https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/
- Official reference opened by Codex: https://docs.npmjs.com/cli/v11/configuring-npm/package-json
- Official reference opened by Codex: https://docs.npmjs.com/cli/v11/commands/npm-trust
- Official reference opened by Codex: https://docs.npmjs.com/cli/v11/commands/npm-approve-scripts
- Official reference opened by Codex: https://docs.npmjs.com/cli/v11/commands/npm-deny-scripts
- Official reference opened by Codex: https://docs.npmjs.com/cli/v11/using-npm/config