Behavior By Package

npm

Compliant Version Selection is enabled by default for npm.

Commands

Command / ScenarioCVS SupportedExpected Behavior (Latest Version Blocked)CLI Output
npm install (no lock file)YesInstalls the latest compliant version.No error
npm install <pkg>YesInstalls the latest compliant version.No error
npm install <pkg>@<range>YesResolves to the highest compliant version in the range.No error
npm install <pkg>@<range> (range only covers older, unchecked versions)NoA blocked older version is not substituted; resolution succeeds but download fails.E403
npm install <pkg>@<range> (no compliant version in range)NoAll versions in the range are blocked.ETARGET, no matching version found
npm install <pkg>@<exact> (recent blocked version)NoVersion is removed from the filtered version list.ETARGET, no matching version found
npm install <pkg>@<exact> (older, unchecked blocked version)NoVersion remains visible in the version list.Download fails with E403
npm install <pkg>@latest (latest tag is blocked)YesInstalls the latest compliant version. The latest tag is recalculated.No error
npm install <pkg>@<pre-release> (for example, @1.0.0-beta.1)NoTreated as an exact version request.E403 if blocked
npm ci (lockfile version was never compliant)NoVersion is not present in the filtered version list.ETARGET
npm ci (lockfile version was compliant, now blocked or not evaluated)NoPinned version fails during artifact download.E403
npm install <pkg>@latest where the latest dist-tag points to a non-compliant versionYesInstalls the latest compliant version.No error
npm install <pkg>@dist-tag where a non-latest dist-tag (@next, @beta, @rc, @alpha) points to a non-compliant versionNoVersion is removed from the filtered version list.ETARGET, no matching version found
npm install <pkg>@dist-tag where a non-latest dist-tag points to an older, unchecked blocked versionNoVersion remains visible in the version list.E403 Forbidden with block reason
npm update / npm update <pkg>YesUpdates to the latest compliant version.No error
npm install --package-lock-only (no lock file)YesGenerates a lock file using the latest compliant version.No error
npm view <pkg> versions (alias npm info)YesRecent blocked versions are removed; older blocked versions may still appear.Filtered version list
npm outdatedYesShows the latest compliant version.Compliant latest version displayed
npm install <tarball-url>NoBypasses version resolution.E403 if blocked
npm dedupeYesRe-resolves the dependency tree; unpinned versions may be replaced with compliant versions.No error
npm pack <pkg>NoBypasses version resolution.Blocked downloads return E403

Supported package managers

  • npm
  • yarn

NPM Client Behavior

  • npm fetches the full package metadata document, including all available versions, in a single request. CVS filters this metadata before npm processes it.
  • npm resolves version constraints against the filtered version list, so blocked recent versions appear as if they do not exist.
  • npm also relies on dist-tags such as latest, next, and beta. When CVS removes the version referenced by the latest tag, CVS recalculates the latest tag to point to the newest compliant version. Other dist-tags are not recalculated and may continue to point to versions that are no longer available in the filtered version list.

NPM FAQ

Does npm view show only compliant versions?

Not always. CVS removes recent blocked versions, but older blocked versions that precede the first compliant version may still appear. These versions remain blocked and cannot be downloaded.

If a blocked version still appears in npm view, am I protected?

Yes. Any attempt to download a blocked version returns a 403 Forbidden response. The block reason is displayed in the npm client and recorded in the Curation audit log.

What happens when every version is blocked?

For npm, when all package versions are non-compliant, Curation does not return package metadata to the client. This avoids exposing potentially malicious content in the metadata response itself.

  • The npm client receives no version list for the package.
  • All download attempts remain blocked.
  • The Curation audit log records the request with package version All and shows that all versions are blocked.

PyPI

Supported Package Managers

  • Pip
  • Uv

Pip

CommandCVS SupportedExpected Behavior When Latest Is Blocked
pip install <name>YesInstalls the next compliant version silently
pip install <name>==<version>YesFails if that version is blocked; 403 if all versions are blocked
pip install <name>>=<version>YesResolves to next compliant version in range
pip install <name>~=<version>YesResolves to next compliant version in compatible range
pip install <name> --no-depsPartialOnly the main package is resolved by CVS; transitive dependencies may return 403
pip index versions <package>YesRecent blocked versions are removed; older blocked versions may still appear
pip install --upgrade <name>YesUpgrades to next compliant version; no change if current is compliant

Uv

CommandCVS SupportedExpected Behavior When Latest Is Blocked
uv add <name>YesAdds next compliant version to lock file
uv add <name>>=<version>YesResolves to next compliant version in range
uv add <name>~=<version>YesResolves to next compliant version in compatible range
uv syncPartialUses pinned versions; resolves via CVS only if not locked; blocked versions return 403
uv sync --upgradeYesRe-resolves and updates to compliant versions
uv pip install <name>YesBehaves like pip; resolves to compliant version
uv run --with <pkg>YesInstalls next compliant version
uv lock --upgradeYesResolves to next compliant version within constraints
📘

PyPI packages resolved via the HTML Simple Index or JSON index are supported.

Gradle

Scenario / CommandCVS SupportedExpected Behavior (Latest Version Blocked)What You'll See in CLI
./gradlew build or ./gradlew assemble
(using dynamic ranges such as 1.+ or latest.release)
YesIntercepts and filters the maven-metadata.xml version list. Non-compliant versions are hidden.Build completes successfully. Gradle resolves and uses the highest remaining compliant version.
Plugin Portal Resolution via buildSrc
(using plugins { id '...' version '...' })
YesIntercepts and filters plugin version metadata. Non-compliant plugin versions are hidden from resolution.Build completes successfully. Gradle resolves and uses the highest remaining compliant plugin version.
Fixed Pinned Version Execution
(no version range, for example group:artifact:1.2.3)
NoThe client bypasses version discovery metadata and performs a direct artifact download (.jar / .pom).If the specified version is blocked by policy, the download fails with a standard 403 Forbidden error.
Strict Lock Mode Execution
(using --lock-mode=STRICT or --write-locks)
NoLocked configurations bypass dynamic version discovery and rely entirely on static versions.CVS filtering is not applied. If a locked version is blocked, the download fails with a standard 403 Forbidden error.
Dynamic Version Ranges with All Versions BlockedYesThe latest version remains visible in maven-metadata.xml, but no compliant version is available for resolution.Gradle fails with a standard 403 Forbidden error during dependency resolution.

Tools

  • gradle
  • gradlew

RubyGems

Commands

CommandCVS SupportedExpected Behavior When Latest Is Blocked
gem install <name>YesInstalls the latest compliant version
gem install <name> -v '<version>'NoReturns "Could not find a valid gem" if the latest is requested; returns 403 for a blocked older version
gem update <name>PartialSee Gem Client Behavior
bundle installYesInstalls the latest compliant version
bundle updateYesUpdates to the next compliant version

Supported Package Managers

  • Bundler
  • Gem

Gem Client Behavior

gem update uses:

  • latest_specs.*.gz (not filtered by CVS) for version discovery
  • compact index /info/<gem> (filtered by CVS) for installation

This mismatch can surface blocked versions during resolution.

Example:

  • Installed: pry 0.15.2
  • Latest: 0.16.0 (blocked)

Running gem update returns: Unable to resolve dependency: user requested 'pry (= 0.16.0)

Although the client detects the latest version, installation is blocked.
The error message is misleading, but the enforcement is correct.

NuGet

Commands

CommandCVS SupportedExpected Behavior When Latest Is Blocked
dotnet add package <name>YesInstalls the latest compliant version
dotnet add package <name> --version <ver>YesNU1102 if latest is blocked; 403 if older version is blocked
dotnet restoreYesInstalls the next compliant version
dotnet restore (with lock file)NoDownloads pinned versions; blocked versions return 403
dotnet package searchNoShows latest version; install fails with 403 if blocked

Support

Only NuGet v3 repositories are supported. NuGet v2 is not supported.

NuGet Client Behavior

  • --version 13.0.4 is interpreted as >= 13.0.4, not an exact version
  • Exact version requires [13.0.4]

dotnet package search may display versions that cannot be installed because search results are not filtered by CVS.

Conda

Commands

CommandCVS SupportedExpected Behavior When Latest Is Immature
conda install <name>YesInstalls the next compliant version
conda install <name>=<ver>NoFails with 403 if that version is immature
conda search <name>YesShows only compliant versions
conda install (environment file)YesResolves to compliant versions

Constraint

  • Only Immaturity policies are supported for Conda CVS.
  • CVS does not support Conda Shards yet.

Go

Commands

CommandCVS SupportedExpected Behavior When Latest Is Blocked
go get <module>YesResolves to the latest compliant version
go get <module>@<version>Yes"package not found" if latest requested version is blocked; 403 if all versions are blocked
go get -u <module>YesUpdates to next compliant version if applicable; no upgrade if current is compliant and latest is blocked
go mod downloadNoDownloads pinned version; 403 if pinned version is blocked

Composer

Support

Commands

CommandCVS SupportedExpected Behavior (Latest Version Blocked)CLI Output
composer require vendor/packageYesResolves to the latest compliant versionNo error. Installs the next compliant version.
composer require vendor/package:versionYesRequest is blockedYour requirements could not be resolved to an installable set of packages.
composer install (composer.lock exists)NoComposer continues downloading. Installation may fail depending on curation policies.HTTP 403 for <package url>, aborting.
composer install (composer.lock does not exist)YesResolves to the latest compliant version
composer updateYesUpdates packages to the next compliant version
composer searchNoSearch results are not filtered by CVS
composer require vendor/package:dev-mainNoBehavior depends on the Fallback Behavior for Blocked Packages configurationIf Resolution of Pending Package Updates is set to Block Always: HTTP 403 for <package url>, aborting.
composer removeYesMay trigger the compliant version calculation and install the next compliant version for affected dependencies
composer outdated / composer show -loYesLists the next compliant version

AIEE

AI Editor Extensions (OpenVSX) Behavior

Developer Action / CommandCVS EnabledExpected Behavior (Latest Version Blocked)Expected Output / Error Message

Search Extension in UI

e.g., typing in the Extensions view

YesBlocked versions are removed from the returned metadata payload.The extension appears, but blocked versions are missing from the version history/version selection dropdown.
Install Extension via Editor UIYesLists the latest compliant version.No errors.

Install Specific Version (via Dropdown)

Selecting a blocked version

YesNewer blocked versions are filtered out before the IDE handles the request. Older blocked versions may still appear.Newer blocked versions do not appear in the version selection dropdown. Older blocked version installations may still fail.
Extension Background UpdateYesCVS recalculates the highest available compliant version. The client updates only to the highest allowed version.No update is triggered if no compliant newer version exists. No error is shown in the UI.

Supported platforms

  • VS Code
  • VS Code

SBT

Commands

Command / ScenarioCVS SupportedExpected Behavior (Latest Blocked)CLI Output
sbt update (dynamic version 2.+, latest blocked)YesResolves to the latest compliant version. The blocked version is removed from maven-metadata.xml.No error
sbt compile / sbt runYesSame as sbt update.No error
sbt update with version range [2.0,3.0), latest in range blockedYesResolves to the highest compliant version within the range.No error
sbt update with a version range where no compliant version existsNoAll versions in the range are blocked, and the build fails.No version found for [range] in <artifactory URL>
sbt update with exact version 2.13.0 (blocked)NoCoursier skips maven-metadata.xml for exact version requests. The download is blocked when fetching the JAR.Coursier error: Error fetching artifacts: forbidden
sbt update with latest.releaseYesResolves to the next compliant release version.No error
sbt update with all versions of a package blocked (product rule)NoFull metadata is preserved for product rules. The resolver selects the latest version normally, but the JAR download is blocked.Coursier error: Error fetching artifacts: forbidden
sbt clean updateYesForces a fresh dependency resolution. The CVS filter is applied when maven-metadata.xml is re-fetched.No error
sbt dependencyTree (built in since SBT 1.4)YesShows only compliant resolved versions. Blocked versions do not appear.No error if resolution succeeds. SBT displays a warning if a dependency cannot be resolved.
sbt evictedYesShows evictions only among compliant versions.No error

Troubleshooting

Why do I get a distribution not found or version not found errors even with a pinned version?

Specifying an exact or pinned version does not bypass JFrog Curation. Requests made through a curated repository are evaluated against Curation policies, including requests for exact versions.

If the requested version is blocked, it may be excluded from the package metadata returned to the package manager. The package manager can then report the version as not found or unavailable, even though it exists in the upstream repository. The exact error message varies by package manager.

📘

Pinning determines which version is requested; it does not guarantee that the version is permitted by Curation.

A not found error can also have other causes. Check the Curation policy or audit information to confirm whether the version was blocked.


Did this page help you?