This error occurs when you attempt to publish an npm package with a version number that already exists in the registry. npm enforces version immutability for security and ecosystem stability—once a version is published, it can never be overwritten or reused.
This error occurs when you attempt to publish an npm package with a name and version combination that already exists in the registry. npm enforces version immutability for security and ecosystem stability—once a version is published, it can never be overwritten or reused, even if it's unpublished. This is a deliberate design choice to prevent supply-chain attacks where a malicious actor could replace legitimate code with compromised code while keeping the same version number. The immutability guarantee ensures that once you depend on a specific version, the code behind that version will never change. This protection applies to both public and scoped packages on the npm registry.
Query the npm registry to see what versions already exist:
npm info your-package-nameOr for scoped packages:
npm info @your-username/package-nameThis shows all published versions. Note the highest version number currently published.
Update the version field in your package.json to a higher version following semantic versioning:
# For patch release (1.0.0 -> 1.0.1)
npm version patch
# For minor release (1.0.0 -> 1.1.0)
npm version minor
# For major release (1.0.0 -> 2.0.0)
npm version majorThe npm version command automatically creates a git commit and tag.
Double-check that your package.json now contains a unique version number:
cat package.json | grep versionConfirm this version does NOT appear in the npm info output from Step 1.
Now publish with the incremented version:
npm publishFor scoped packages that should be public:
npm publish --access publicConfirm the new version is available:
npm info your-package-nameYou should see your new version in the list of published versions.
Immutability and Security: npm enforces strict version immutability to prevent supply-chain attacks. Once a version is published, it can never be modified or reused, even if unpublished.
Unpublish Policy: You can unpublish a newly published package within 72 hours only if no other packages depend on it. After 72 hours, unpublishing is not allowed unless the package has zero dependents. Even when unpublished, the version number remains permanently reserved.
24-Hour Waiting Period: If you unpublish an entire package, you cannot publish any new versions of that package until 24 hours have passed.
Deprecation as Alternative: If your package doesn't meet unpublish criteria, use npm deprecate to mark it with a warning message while keeping it available for existing users.
Prerelease Versions: Use prerelease versions during development to avoid locking production version numbers:
{ "version": "1.0.0-alpha.1" }Increment prerelease: npm version prerelease → 1.0.0-alpha.2
npm notice access token expired or revoked. Please try logging in again.
Token has expired - npm authentication failure
npm ERR! code EAI_AGAIN
How to fix "EAI_AGAIN" in npm
npm error code E403 npm error 403 Forbidden - PUT https://registry.npmjs.org/<package>
How to fix 'E403 Forbidden' error in npm
npm ERR! code EUSAGE npm ERR! Usage error
How to fix "npm ERR! code EUSAGE" in Node.js projects
npm ERR! code E401 npm ERR! 401 Unauthorized
How to fix "E401 Unauthorized" in npm