Skip to main content

Policy-Compliant Component Selection for npm

When a user requests an npm package without explicitly specifying a version (e.g., npm install package) or specifying a version range, the npm client relies on the package metadata from the npm registry to select a version that satisfies the version constraints. When the selected version has policy violation and is quarantined by Sonatype Repository Firewall, it causes a build failure that requires a manual fix of the root cause.

By enabling this option, Repository Firewall removes quarantined versions from the npm package metadata to prevent selecting a version with policy violations.

See the Repository Firewall documentation on policy-compliant component selection.