What Cloudsmith shipped in Q2 2026

The Cloudsmith platform improved with each new changelog in Q2 of 2026. Our focus on constant innovation comes out in the new features we shipped, and the major and minor improvements we made to the platform that help users better manage artifact pipelines at enterprise scale.

In case you missed the changelogs as they came out, here’s a quick roundup of what changed over the past quarter.

New features

Branded distribution of software components with Cloudsmith Private Broadcasts

Private Broadcasts give teams a branded distribution portal with access controlled by entitlement tokens. The two new capabilities increase Broadcasts value to users. Package Groups let you batch packages by format and name, so end users browsing a repository containing multiple package versions see a clean, organized structure rather than a flat list of files. Search syntax support for access links means you can pre-filter what a shared link shows.

Connected repositories (early access)

Large engineering organizations typically need to balance two things that pull in opposite directions: developers want a single place to pull every package they need, and platform teams need fine-grained control over who can publish or promote to any given repository.

Connected repositories are the solution. A source repository can aggregate packages from multiple connected repositories with no indexing delay. When a shared library lands in a connected repo, it's immediately visible to every team consuming the source. Priority-based resolution handles the case where the same package version exists in multiple places. Teams don't need to know anything about the underlying repository structure – they pull from one location, and Cloudsmith handles the rest.

Inherited upstreams extend this further. If your shared library repository points to Maven Central or PyPI, the teams consuming the source repo get access to those public packages automatically, through the same pull point, without separate trust configuration.

Connected repositories are now available for Maven, Docker, Python, npm, Go, Cargo (Rust), NuGet, Helm, Conda, and Conan.

What’s new in Cloudsmith’s Terraform provider

Our team improved our Terraform provider this quarter, logging two new capabilities for managing Cloudsmith at scale.

Manage policies as code with Terraform (early access)

Cloudsmith's Terraform provider (v0.0.75) now covers the full policy lifecycle. Four new constructs let you define quarantine rules, tag cleanup policies, and cooldown policies in HCL, version them in Git, and apply them through standard terraform apply workflows.

Cloudsmith’s Terraform GitHub repository includes a working example module that creates a quarantine-on-missing-tag policy, a tag cleanup policy, and a cooldown policy in one block.

Create and manage connected repositories with Terraform (early access)

I mentioned connected repositories above, and users can now manage those via Terraform. The new cloudsmith_connected_repository resource lets you declare repository topology in code. That configuration then lives in version control alongside the repositories themselves, which makes it auditable, diffable, and deployable through the same pipelines as everything else.

Automatically authenticate Docker Hub and DHI upstreams

Cloudsmith allows users to set up a Docker Hub or Docker Hardened Images (DHI) upstream without having to supply credentials. Cloudsmith authenticates these upstreams using a managed organization access token (OAT), and authenticated requests carry a higher rate limit than anonymous access, which matters for teams pulling frequently from public Docker registries in CI/CD.

A pre-configured DHI upstream is also available, so you can start proxying and caching images from the DHI Community tier immediately with no setup. To access the DHI Select or Enterprise tiers, configure the DHI registry as a private upstream with your own Docker Hub credentials. Note that workspace names are shared with Docker to attribute usage when the Cloudsmith-managed token is in use.

Align npm dist-tags with upstream registries

Cloudsmith's default behavior assigns the latest dist-tag to the package with the highest semantic version number. For maintainers that explicitly point latest at a specific release for compatibility reasons, Cloudsmith’s semantic version default can produce a wrong result.

The new npm upstream tags take precedence repository setting overrides the semantic version number default. When enabled, Cloudsmith checks the upstream registry's latest tag and applies it as an override, but only if that version is actually available to the client. If a cooldown policy or another rule filters that version from the index, Cloudsmith falls back to the semantically highest available release.

Teams publishing to both npmjs.com and Cloudsmith, or using tag-based resolution (@latest, @next) in their pipelines, can now mirror upstream behavior precisely. Configuration details

Recover deleted packages within a 7-day restoration window

Cloudsmith has always retained deleted packages for seven days before permanent removal. Restoring one, however, required contacting support. The new "Recently deleted packages" view in the web app lets teams restore packages directly. Permanent deletion before the window expires is also available if needed. The API now supports both operations. Documentation

Personalized tables

Column visibility, column order, and table density are now configurable across key tables in the web app and settings persist per table. The compact density option fits more rows on screen without switching views or resizing windows. See the personalization documentation for more information.

Upstream request logs

Upstream logs are now available in the web app. Each upstream shows successful requests from the last 12 hours and failed requests from the last 24 hours. When an upstream breaks, the log tells you what went wrong and when, without needing to file a support request.

London storage region

Teams with UK data residency requirements can now store artifacts on UK infrastructure. Select London as your storage region when creating a new repository, or transfer an existing repository via its Settings page. Storage region documentation

CircleCI Orb v2.0.0

The Cloudsmith CircleCI Orb now reaches feature parity with the GitHub Actions and Azure DevOps integrations. Three meaningful changes shipped in v2.

OIDC authentication. The new authenticate-with-oidc step exchanges short-lived tokens at runtime, eliminating the need to store long-lived API keys in CircleCI environment variables.

A zipapp-based CLI install. Rather than relying on pip and whatever Python environment the runner provides, the orb downloads a self-contained zipapp from dl.cloudsmith.io. Faster, more consistent, no environment dependency.

Full CLI access. Previous versions exposed a subset of CLI functionality through orb wrappers. v2 installs the CLI directly, so any CLI command is available from within run steps.

Version 2.0.0 deprecated the publish command and introduced a few potential breaking changes. Review the changelog entry before upgrading.

Alpine and Wolfi upstream proxying

Cloudsmith now proxies and caches Alpine Linux and Wolfi packages from their public mirrors, merging them into a single APKINDEX.tar.gz signed with your repository's RSA key. Build environments trust one source for all APK dependencies without separate trust configuration per registry.

Wolfi doesn't use versioned branches, and public packages typically drop off the upstream after 12 months. Cloudsmith caches pulled Wolfi packages permanently, so builds that depend on packages no longer available upstream remain stable. Alpine format documentation

Enrich packages with custom metadata (early access)

Users can now attach custom key-value metadata, stored as arbitrary JSON, to any package via the API or CLI. Contextual data that belongs with the artifact but doesn't fit in tags now has a proper home directly alongside it.

Once attached, metadata is searchable via the package search filter using the metadata field, and usable in policy-as-code matching logic. The web app supports viewing and searching existing metadata; create, update, and delete operations require the API or CLI. Custom metadata documentation

Improvements

Vulnerability detection now covers ecosystem-native OSV advisories

Cloudsmith's vulnerability scanning already matches packages against OSV advisories using SemVer-based version ranges. We extended that capability to advisories that use native ecosystem version formats that don't follow SemVer conventions.

If you have active vulnerability policies using the OSV.dev dataset, expect more policy matches now that Cloudsmith has more comprehensive support for version range format differences. Review the changelog entry for the full list of covered ecosystems.

More events now trigger policy evaluations

Two new triggers join the existing set of events that initiate policy evaluations. One, any policy create, edit, or delete operation now immediately re-evaluates affected packages against the updated configuration. Two, a default, fallback evaluation runs every 12 hours. This runs against any packages that were not evaluated in the previous 12-hour window. These triggers apply to policy-as-code configurations only.

Cooldown policies now enforce at the index level (early access)

Cooldown policy enforcement is now done at the repository index level. The policy filters non-compliant versions before the package manager sees them. Builds resolve cleanly to the first compliant version available. Security teams configure one policy at the repository level, and it applies consistently across every consumer of that registry. Available in early access for Python and npm.

Bulk delete up to 100 packages

Multi-select package actions now include delete. Select up to 100 packages and remove them in one operation. Deleted packages land in the recently deleted view for a seven-day recovery window.

Set up and monitor upstreams more effectively

A set of web app improvements to upstream configuration and monitoring. A new streamlined setup flow gets you connected in a single click. An error tag now appears in the upstreams table when a connection fails. Each row now shows indexed package count and can be expanded to reveal the last indexed timestamp, GPG key details, and distributions. Review the changelog for the full list of updates.

Improved docs site

Cloudsmith's new docs site now has improved search, with more accurate results, and results organized across core documentation, guides, and the API reference. It also now supports dark mode.

Fixes

Version handling improvements

Cloudsmith now applies stricter, more consistent logic when evaluating relational version ranges. The core fix is that a query like >=1.0 no longer incorrectly matches prerelease versions such as 1.0-a1 unless you explicitly ask it to. Most existing rules require no changes. Review the full changelog for details.

Deprecations

Cloudsmith CLI Action v1

We deprecated v1 of the Cloudsmith CLI Action. V1 is built on Node.js 20, which reached end-of-life on April 30, 2026, and GitHub is deprecating Node 20 on hosted runners. v1 workflows will break.

v2 runs on Node.js 24 and migration is a one-line change to your GitHub Actions workflow:

- uses: cloudsmith-io/cloudsmith-cli-action@v1
+ uses: cloudsmith-io/cloudsmith-cli-action@v2

There are two breaking changes to verify before upgrading. One, ensure that self-hosted runners explicitly provide Node.js 24+. Two, the default OIDC audience changed in v2, so update your configuration so it conforms to the new expected values.

No input or output names have changed in v2. Security-only patches continue on v1 until December 31, 2026. After that, v1 reaches end-of-life. Full migration details

The full Cloudsmith changelog has the complete record of every release, including additional detail on the entries above.

Current Cloudsmith users that want to enable early access features should contact their account manager.

Not using Cloudsmith yet? Discover how Cloudsmith helps secure your software supply chain in your tech stack. Book a demo