Behavior By Package
npm
Compliant Version Selection is enabled by default for npm.
Commands
| Command / Scenario | CVS Supported | Expected Behavior (Latest Version Blocked) | CLI Output |
|---|---|---|---|
npm install (no lock file) | Yes | Installs the latest compliant version. | No error |
npm install <pkg> | Yes | Installs the latest compliant version. | No error |
npm install <pkg>@<range> | Yes | Resolves to the highest compliant version in the range. | No error |
npm install <pkg>@<range> (range only covers older, unchecked versions) | No | A blocked older version is not substituted; resolution succeeds but download fails. | E403 |
npm install <pkg>@<range> (no compliant version in range) | No | All versions in the range are blocked. | ETARGET, no matching version found |
npm install <pkg>@<exact> (recent blocked version) | No | Version is removed from the filtered version list. | ETARGET, no matching version found |
npm install <pkg>@<exact> (older, unchecked blocked version) | No | Version remains visible in the version list. | Download fails with E403 |
npm install <pkg>@latest (latest tag is blocked) | Yes | Installs the latest compliant version. The latest tag is recalculated. | No error |
npm install <pkg>@<pre-release> (for example, @1.0.0-beta.1) | No | Treated as an exact version request. | E403 if blocked |
npm ci (lockfile version was never compliant) | No | Version is not present in the filtered version list. | ETARGET |
npm ci (lockfile version was compliant, now blocked or not evaluated) | No | Pinned version fails during artifact download. | E403 |
npm install <pkg>@latest where the latest dist-tag points to a non-compliant version | Yes | Installs the latest compliant version. | No error |
npm install <pkg>@dist-tag where a non-latest dist-tag (@next, @beta, @rc, @alpha) points to a non-compliant version | No | Version is removed from the filtered version list. | ETARGET, no matching version found |
npm install <pkg>@dist-tag where a non-latest dist-tag points to an older, unchecked blocked version | No | Version remains visible in the version list. | E403 Forbidden with block reason |
npm update / npm update <pkg> | Yes | Updates to the latest compliant version. | No error |
npm install --package-lock-only (no lock file) | Yes | Generates a lock file using the latest compliant version. | No error |
npm view <pkg> versions (alias npm info) | Yes | Recent blocked versions are removed; older blocked versions may still appear. | Filtered version list |
npm outdated | Yes | Shows the latest compliant version. | Compliant latest version displayed |
npm install <tarball-url> | No | Bypasses version resolution. | E403 if blocked |
npm dedupe | Yes | Re-resolves the dependency tree; unpinned versions may be replaced with compliant versions. | No error |
npm pack <pkg> | No | Bypasses version resolution. | Blocked downloads return E403 |
Supported package managers
- npm
- yarn
NPM Client Behavior
- npm fetches the full package metadata document, including all available versions, in a single request. CVS filters this metadata before npm processes it.
- npm resolves version constraints against the filtered version list, so blocked recent versions appear as if they do not exist.
- npm also relies on dist-tags such as
latest,next, andbeta. When CVS removes the version referenced by thelatesttag, CVS recalculates thelatesttag to point to the newest compliant version. Other dist-tags are not recalculated and may continue to point to versions that are no longer available in the filtered version list.
NPM FAQ
Does npm view show only compliant versions?
npm view show only compliant versions?Not always. CVS removes recent blocked versions, but older blocked versions that precede the first compliant version may still appear. These versions remain blocked and cannot be downloaded.
If a blocked version still appears in npm view, am I protected?
npm view, am I protected?Yes. Any attempt to download a blocked version returns a 403 Forbidden response. The block reason is displayed in the npm client and recorded in the Curation audit log.
What happens when every version is blocked?
For npm, when all package versions are non-compliant, Curation does not return package metadata to the client. This avoids exposing potentially malicious content in the metadata response itself.
- The npm client receives no version list for the package.
- All download attempts remain blocked.
- The Curation audit log records the request with package version All and shows that all versions are blocked.
PyPI
Supported Package Managers
- Pip
- Uv
Pip
| Command | CVS Supported | Expected Behavior When Latest Is Blocked |
|---|---|---|
pip install <name> | Yes | Installs the next compliant version silently |
pip install <name>==<version> | Yes | Fails if that version is blocked; 403 if all versions are blocked |
pip install <name>>=<version> | Yes | Resolves to next compliant version in range |
pip install <name>~=<version> | Yes | Resolves to next compliant version in compatible range |
pip install <name> --no-deps | Partial | Only the main package is resolved by CVS; transitive dependencies may return 403 |
pip index versions <package> | Yes | Recent blocked versions are removed; older blocked versions may still appear |
pip install --upgrade <name> | Yes | Upgrades to next compliant version; no change if current is compliant |
Uv
| Command | CVS Supported | Expected Behavior When Latest Is Blocked |
|---|---|---|
uv add <name> | Yes | Adds next compliant version to lock file |
uv add <name>>=<version> | Yes | Resolves to next compliant version in range |
uv add <name>~=<version> | Yes | Resolves to next compliant version in compatible range |
uv sync | Partial | Uses pinned versions; resolves via CVS only if not locked; blocked versions return 403 |
uv sync --upgrade | Yes | Re-resolves and updates to compliant versions |
uv pip install <name> | Yes | Behaves like pip; resolves to compliant version |
uv run --with <pkg> | Yes | Installs next compliant version |
uv lock --upgrade | Yes | Resolves to next compliant version within constraints |
PyPI packages resolved via the HTML Simple Index or JSON index are supported.
Gradle
| Scenario / Command | CVS Supported | Expected Behavior (Latest Version Blocked) | What You'll See in CLI |
|---|---|---|---|
./gradlew build or ./gradlew assemble(using dynamic ranges such as 1.+ or latest.release) | Yes | Intercepts and filters the maven-metadata.xml version list. Non-compliant versions are hidden. | Build completes successfully. Gradle resolves and uses the highest remaining compliant version. |
Plugin Portal Resolution via buildSrc(using plugins { id '...' version '...' }) | Yes | Intercepts and filters plugin version metadata. Non-compliant plugin versions are hidden from resolution. | Build completes successfully. Gradle resolves and uses the highest remaining compliant plugin version. |
| Fixed Pinned Version Execution (no version range, for example group:artifact:1.2.3) | No | The client bypasses version discovery metadata and performs a direct artifact download (.jar / .pom). | If the specified version is blocked by policy, the download fails with a standard 403 Forbidden error. |
| Strict Lock Mode Execution (using --lock-mode=STRICT or --write-locks) | No | Locked configurations bypass dynamic version discovery and rely entirely on static versions. | CVS filtering is not applied. If a locked version is blocked, the download fails with a standard 403 Forbidden error. |
| Dynamic Version Ranges with All Versions Blocked | Yes | The latest version remains visible in maven-metadata.xml, but no compliant version is available for resolution. | Gradle fails with a standard 403 Forbidden error during dependency resolution. |
Tools
- gradle
- gradlew
RubyGems
Commands
| Command | CVS Supported | Expected Behavior When Latest Is Blocked |
|---|---|---|
gem install <name> | Yes | Installs the latest compliant version |
gem install <name> -v '<version>' | No | Returns "Could not find a valid gem" if the latest is requested; returns 403 for a blocked older version |
gem update <name> | Partial | See Gem Client Behavior |
bundle install | Yes | Installs the latest compliant version |
bundle update | Yes | Updates to the next compliant version |
Supported Package Managers
- Bundler
- Gem
Gem Client Behavior
gem update uses:
latest_specs.*.gz(not filtered by CVS) for version discoverycompact index /info/<gem>(filtered by CVS) for installation
This mismatch can surface blocked versions during resolution.
Example:
- Installed:
pry 0.15.2 - Latest:
0.16.0(blocked)
Running gem update returns: Unable to resolve dependency: user requested 'pry (= 0.16.0)
Although the client detects the latest version, installation is blocked.
The error message is misleading, but the enforcement is correct.
NuGet
Commands
| Command | CVS Supported | Expected Behavior When Latest Is Blocked |
|---|---|---|
dotnet add package <name> | Yes | Installs the latest compliant version |
dotnet add package <name> --version <ver> | Yes | NU1102 if latest is blocked; 403 if older version is blocked |
dotnet restore | Yes | Installs the next compliant version |
dotnet restore (with lock file) | No | Downloads pinned versions; blocked versions return 403 |
dotnet package search | No | Shows latest version; install fails with 403 if blocked |
Support
Only NuGet v3 repositories are supported. NuGet v2 is not supported.
NuGet Client Behavior
--version 13.0.4is interpreted as>= 13.0.4, not an exact version- Exact version requires
[13.0.4]
dotnet package search may display versions that cannot be installed because search results are not filtered by CVS.
Conda
Commands
| Command | CVS Supported | Expected Behavior When Latest Is Immature |
|---|---|---|
conda install <name> | Yes | Installs the next compliant version |
conda install <name>=<ver> | No | Fails with 403 if that version is immature |
conda search <name> | Yes | Shows only compliant versions |
conda install (environment file) | Yes | Resolves to compliant versions |
Constraint
- Only Immaturity policies are supported for Conda CVS.
- CVS does not support Conda Shards yet.
Go
Commands
| Command | CVS Supported | Expected Behavior When Latest Is Blocked |
|---|---|---|
go get <module> | Yes | Resolves to the latest compliant version |
go get <module>@<version> | Yes | "package not found" if latest requested version is blocked; 403 if all versions are blocked |
go get -u <module> | Yes | Updates to next compliant version if applicable; no upgrade if current is compliant and latest is blocked |
go mod download | No | Downloads pinned version; 403 if pinned version is blocked |
Composer
Support
- Supported only for Composer V2.
- Supported Composer registry:
https://packagist.org/ - Supported public repositories:
Commands
| Command | CVS Supported | Expected Behavior (Latest Version Blocked) | CLI Output |
|---|---|---|---|
composer require vendor/package | Yes | Resolves to the latest compliant version | No error. Installs the next compliant version. |
composer require vendor/package:version | Yes | Request is blocked | Your requirements could not be resolved to an installable set of packages. |
composer install (composer.lock exists) | No | Composer continues downloading. Installation may fail depending on curation policies. | HTTP 403 for <package url>, aborting. |
composer install (composer.lock does not exist) | Yes | Resolves to the latest compliant version | |
composer update | Yes | Updates packages to the next compliant version | |
composer search | No | Search results are not filtered by CVS | |
composer require vendor/package:dev-main | No | Behavior depends on the Fallback Behavior for Blocked Packages configuration | If Resolution of Pending Package Updates is set to Block Always: HTTP 403 for <package url>, aborting. |
composer remove | Yes | May trigger the compliant version calculation and install the next compliant version for affected dependencies | |
composer outdated / composer show -lo | Yes | Lists the next compliant version |
AIEE
AI Editor Extensions (OpenVSX) Behavior
| Developer Action / Command | CVS Enabled | Expected Behavior (Latest Version Blocked) | Expected Output / Error Message |
|---|---|---|---|
Search Extension in UI e.g., typing in the Extensions view | Yes | Blocked versions are removed from the returned metadata payload. | The extension appears, but blocked versions are missing from the version history/version selection dropdown. |
| Install Extension via Editor UI | Yes | Lists the latest compliant version. | No errors. |
Install Specific Version (via Dropdown) Selecting a blocked version | Yes | Newer blocked versions are filtered out before the IDE handles the request. Older blocked versions may still appear. | Newer blocked versions do not appear in the version selection dropdown. Older blocked version installations may still fail. |
| Extension Background Update | Yes | CVS recalculates the highest available compliant version. The client updates only to the highest allowed version. | No update is triggered if no compliant newer version exists. No error is shown in the UI. |
Supported platforms
- VS Code
- VS Code
SBT
Commands
| Command / Scenario | CVS Supported | Expected Behavior (Latest Blocked) | CLI Output |
|---|---|---|---|
sbt update (dynamic version 2.+, latest blocked) | Yes | Resolves to the latest compliant version. The blocked version is removed from maven-metadata.xml. | No error |
sbt compile / sbt run | Yes | Same as sbt update. | No error |
sbt update with version range [2.0,3.0), latest in range blocked | Yes | Resolves to the highest compliant version within the range. | No error |
sbt update with a version range where no compliant version exists | No | All versions in the range are blocked, and the build fails. | No version found for [range] in <artifactory URL> |
sbt update with exact version 2.13.0 (blocked) | No | Coursier skips maven-metadata.xml for exact version requests. The download is blocked when fetching the JAR. | Coursier error: Error fetching artifacts: forbidden |
sbt update with latest.release | Yes | Resolves to the next compliant release version. | No error |
sbt update with all versions of a package blocked (product rule) | No | Full metadata is preserved for product rules. The resolver selects the latest version normally, but the JAR download is blocked. | Coursier error: Error fetching artifacts: forbidden |
sbt clean update | Yes | Forces a fresh dependency resolution. The CVS filter is applied when maven-metadata.xml is re-fetched. | No error |
sbt dependencyTree (built in since SBT 1.4) | Yes | Shows only compliant resolved versions. Blocked versions do not appear. | No error if resolution succeeds. SBT displays a warning if a dependency cannot be resolved. |
sbt evicted | Yes | Shows evictions only among compliant versions. | No error |
Troubleshooting
Why do I get a distribution not found or version not found errors even with a pinned version?
Specifying an exact or pinned version does not bypass JFrog Curation. Requests made through a curated repository are evaluated against Curation policies, including requests for exact versions.
If the requested version is blocked, it may be excluded from the package metadata returned to the package manager. The package manager can then report the version as not found or unavailable, even though it exists in the upstream repository. The exact error message varies by package manager.
Pinning determines which version is requested; it does not guarantee that the version is permitted by Curation.
A not found error can also have other causes. Check the Curation policy or audit information to confirm whether the version was blocked.
Updated 3 days ago
