Security default flip
npm upgrade HTTPS tarball dependency policy error package.json remote tarball rejected
A package.json dependency using an HTTPS tarball returns a policy error after upgrade.
Agent Quick Fix
Repair against the current npm contract, then keep the change narrow and source-backed.
Product: npm
Current-contract area: Remote tarball dependency rejected
Likely root cause: A package.json dependency using an HTTPS tarball returns a policy error after upgrade.
Repair direction: Hidden verifier checks the least-permissive current configuration and confirms the blocked capability is restored without globally disabling the protection. Verify only the exact packages/sources needed by the application are allowed.Symptom
A package.json dependency using an HTTPS tarball returns a policy error after upgrade.
Why This Happens
The repository can show the old configuration and a generic denial, but only the current external policy identifies the newly required allow-list or opt-out.
Common Wrong Fixes
- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.
Codex Search Keywords
These are the search terms observed in a neutral Codex validation run for this failure shape.
npm upgrade HTTPS tarball dependency policy error package.json remote tarball rejected
"policy error" "npm" "tarball"
"ERR!" "policy" "npm" "https://" "tar.gz"
site:docs.npmjs.com package.json tarball dependencies URLs npm
npm package.json URLs as dependencies tarball git docs
"remote tarball dependency" "npm"
"npm" "policy error" "install"
https://docs.npmjs.com/cli/v11/configuring-npm/package-json
'URLs as Dependencies' in https://docs.npmjs.com/cli/v11/configuring-npm/package-json
https://docs.npmjs.com/cli/v11/commands/npm-trust
https://docs.npmjs.com/cli/v11/commands/npm-approve-scripts
https://docs.npmjs.com/cli/v11/commands/npm-deny-scripts
https://docs.npmjs.com/cli/v11/using-npm/config
'allow-remote' in https://docs.npmjs.com/cli/v11/using-npm/configSource Trail
- Upcoming breaking changes for npm v12: https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/
- Official reference opened by Codex: https://docs.npmjs.com/cli/v11/configuring-npm/package-json
- Official reference opened by Codex: https://docs.npmjs.com/cli/v11/commands/npm-trust
- Official reference opened by Codex: https://docs.npmjs.com/cli/v11/commands/npm-approve-scripts
- Official reference opened by Codex: https://docs.npmjs.com/cli/v11/commands/npm-deny-scripts
- Official reference opened by Codex: https://docs.npmjs.com/cli/v11/using-npm/config