npm
npm install instructions due to Supply chain attacks and Optum repository curation and blocking policies.
npm install instructions
Optum blocks packages that are not at least 5 days old. Critical and High CVE severity packages are blocked as well. When you encounter npm installation errors due to package curation policies, follow this systematic approach:
Step 1: Identify Blocked Packages
When npm fails with 403 errors, look for messages like:
npm notice package <package-name>:<version> download was blocked by jfrog packages curation service due to the following policies violated {DelayNPM,NewNPM,Package version is X days old,Use an older version or wait until this version is no longer immature}
Step 2: Find Compatible Versions
For each blocked package, use npm view <package-name> time to list all published versions and their dates:
npm view <package-name> time
npm view <package-name> time | tail -20 # For recent versions
npm view <package-name> time | grep "2025-09" # For specific timeframe
Key Strategy: Always attempt to use the latest version that is older than 5 days from the current date.
Step 3: Pin Compatible Versions
Add package overrides to your package.json to force npm to use the specific, older versions:
{
"name": "your-project",
"dependencies": { ... },
"devDependencies": { ... },
"overrides": {
"<blocked-package-1>": "<compatible-version-1>",
"<blocked-package-2>": "<compatible-version-2>",
"<blocked-package-3>": "<compatible-version-3>"
}
}
Example from real scenarios:
"overrides": {
"rollup": "4.50.0",
"electron-to-chromium": "1.5.200",
"caniuse-lite": "1.0.30001740",
"baseline-browser-mapping": "2.8.5",
"react-day-picker": "9.0.9",
"@types/react": "18.2.9",
"@types/react-dom": "18.2.9"
}
Step 4: Handle Dependency Conflicts
If you encounter override conflicts (e.g., EOVERRIDE errors), consider:
-
Downgrade main dependencies to compatible versions:
"dependencies": { "react": "^18.2.0", // Instead of "^19.x.x" "react-dom": "^18.2.0" // Instead of "^19.x.x" } -
Adjust devDependencies to match:
"devDependencies": { "@types/react": "18.2.9", // Pin exact version "@types/react-dom": "18.2.9", // Pin exact version "@vitejs/plugin-react": "^4.3.0", // Downgrade from 5.x "vite": "^5.4.0" // Downgrade from 7.x }
Step 5: Install with Overrides
Run npm install again. The overrides ensure npm uses only the allowed versions:
npm install
Repeat as necessary: You may encounter additional blocked packages during dependency resolution. Repeat steps 2-4 for each new blocked package until you achieve a working combination.
Step 6: Verify Installation Success
- Check for successful package installation without 403 errors
- Verify your application builds and runs correctly
- Test key functionality to ensure compatibility with downgraded packages
Common Package Categories That May Require Overrides:
- Build tools:
rollup,vite,@vitejs/plugin-react - Browser compatibility:
electron-to-chromium,caniuse-lite,baseline-browser-mapping - React ecosystem:
@types/react,@types/react-dom,react-day-picker - Development tools: Various dev dependencies may trigger blocks
Pro Tips:
- Work incrementally: Install base dependencies first, then add additional packages
- Use specific versions: Pin exact versions in overrides rather than ranges
- Check dates carefully: Ensure the version you choose is actually older than 5 days
- Document your overrides: Keep track of why specific versions were chosen for future reference

