We’ve recently released a set of improvements across the Cloudsmith 

 focused on logs, error messaging, and usability.

: You can now select between UTC and your browser’s local time when viewing both Client Logs and Audit Logs, letting you skip the mental time zone math.

Quick package navigation from Client Logs

: We’ve added a hyperlink to the package name within Client Logs, allowing you to click directly to the package details page. This saves time when investigating package activity.

Independent scrolling of logs table and filters

: On the Client Logs page, you can now scroll the filters panel independent of the logs table, a usability improvement for ensuring you can easily set your filters.

 The application now rounds the wait time in a throttling error message to a whole number, removing overly precise fractions of a second to keep the message clear.

: We’ve polished how Docker tags are displayed throughout the UI for better clarity.

: We fixed a bug where the chevron icon to expand Package Groups was not working correctly for non-Docker images.

 Filters for key:value pairs are no longer case sensitive, making it easier and less error-prone to filter the packages view.

Fixed package Copy/Move after Repo rename

: Resolved an issue that prevented you from moving or copying packages to a repository if the repository's display name had recently been changed.

: For packages that fail to synchronize, the UI now displays detailed information about the sync status failure, giving you better insight into the root cause.

 Service accounts are now correctly listed and visible on the Teams management page.

 We've removed the 255-character limit for Webhook Target Endpoint URLs, giving you more flexibility for your integrations.

Recent improvements to the Cloudsmith web app

Monitoring the software licenses in use across your organization is critical. Stripping out dependencies that can't be incorporated into commercial software, or don't conform to your corporate licensing policies, is expensive and time consuming. Getting early visibility over software licenses in use by your teams is the goal.

Cloudsmith's web app now gives you a breakdown of your packages by license, and lists packages with no apparent software license. 

If you're a workspace Owner or Manager, you'll find software license information under Compliance at both a workspace and repository level. You'll see a breakdown of packages by license, with quick filters showing packages with 

. You can also edit and override  license information associated with a specific package if required.

Software license dashboard added to the web app

You can now use Cloudsmith to proxy and cache packages from public Conda channels (upstreams). This update helps you maintain a single, reliable source of truth for all your Conda packages, combining your private packages with cached versions of the public upstreams you depend on.

This is ideal for any team using Conda who wants the speed, security, and control of Cloudsmith across their entire package workflow.

Configure an upstream source in your Cloudsmith repository. Cloudsmith will automatically fetch and cache Conda packages from any public channel you choose, including:

: `https://conda.anaconda.org/conda-forge`

Ready to centralize your Conda package management? See our 

Proxy and cache packages from public Conda channels

, the Client Logs and Client Statistics views in the classic web app will remain visible but will no longer receive updated data.

This change is part of our migration to the new 

, where all future improvements to observability and analytics are being delivered.

We have released several recent improvements for log observability. To view the latest information, you can use Client Logs in our 

 are also available if you need to access this data in your own observability stack.

For more information on Client Logs in the new web app, you can 

Learn more about the new enhancements to Client Logs 

, which is built on our latest data pipeline. If you have any questions about this migration, or need help making the switch, please 

Deprecation: Client Logs and Client Statistics in the classic web app

We’ve added a new policy action to Enterprise Policy Manager (EPM): 

. This enables reversible tagging workflows - for example, if a package was previously tagged as risky due to a CVE policy violation but is later cleared because the CVE was withdrawn, downgraded, or assessed as low risk and approved for continued use, you can now remove that tag automatically.

Configure an EPM policy to remove specific tags through the UI or API.

Remove any mutable tag, whether it was added by a policy or manually by a user.

With this addition, you can now create policies that 

both apply and remove tags as conditions change

, enabling policies that keep tags in sync with the current state of risk. 

👉 Learn how to build a security tagging workflow in the 

Remove Tag policy action added to Enterprise Policy Manager

We’ve improved how Docker images are displayed and navigated in the web app, making it easier to work with tags, architectures and metadata to quickly find what you need.

: An architecture column has been added to the packages table on the packages overview (image 1), and a dropdown on each image overview lets you switch between architectures (image 2).

 Docker tags are shown in a separate component on the image overview (image 2), making them easier to browse and select.

: Package pages now surface richer details, including 

​​These improvements help you quickly find what you need and give clearer insights into an image’s content and supply chain integrity, and are available today in the web application today. 

Improved Docker experience in the Cloudsmith web app

Cloudsmith now displays Docker image signatures and SBOMs (Software Bill of Materials) directly in the web app, giving you greater trust and visibility into the images you use.

SBOMs and signatures have been available through the API to enable client-side verification, but this update makes them directly accessible and easier to inspect in the web app.

 list every dependency, version, and license inside a Docker image, helping you understand what’s in your software supply chain.

 let you verify authenticity with Cosign, including viewing ECDSA key details and checking packages against a trusted public key.

improvements to Docker images in the web app

. All of these enhancements are available today for customers using Docker images in Cloudsmith. 

Verify and inspect Docker images

You can now host and distribute your machine learning (ML) models and datasets using Cloudsmith. This brings the same security, governance, and cloud-native performance you already rely on for packages, containers, and binaries to your AI workflows.

: Push and pull public or private models, datasets, and related assets with the standard 

 public models and datasets from the Hugging Face Hub for improved reliability and speed.

to fit your workflows. Store models alongside containers and packages, or separate them into dev, staging, and production.

 with fine-grained permissions for who can view or distribute models. 

 on security, quality, and compliance using Enterprise Policy Management.

ML Model Registry

You can now use quick filters in the package vulnerability view to filter Common Vulnerabilities and Exposures (CVEs) by severity.

The view will still default to ordering vulnerabilities by severity — with Critical issues at the top — but quick filters make it easier to filter directly for High, Medium, Low, or Unknown severities. This helps security teams quickly triage and prioritize, especially when working with artifacts that may have a high number of CVEs (for example, Docker images where the base image alone may contribute a large number). 

Filter CVEs by severity in the package vulnerability view

Cloudsmith now detects malicious packages using data from 

 open source packages designed to attack your supply chain before they reach your builds or customers.

 looks inside a package for known signatures, whereas malicious package detection focuses on packages that are harmful by design — for example, those created to mimic legitimate dependencies or trigger unsafe install behaviors. Together, these capabilities provide broader defense in depth across your repositories.

Here’s how malicious package detection works in Cloudsmith:

: The malicious packages dataset is ingested into Cloudsmith and integrated into Continuous Security.

: Packages in your repositories are regularly evaluated against this dataset.

: Enterprise Policy Management (EPM) lets you define policies to automatically quarantine or block flagged packages.

Cloudsmith Changelog