You can now use Cloudsmith to proxy and cache packages from public Conda channels (upstreams). This update helps you maintain a single, reliable source of truth for all your Conda packages, combining your private packages with cached versions of the public upstreams you depend on.

This is ideal for any team using Conda who wants the speed, security, and control of Cloudsmith across their entire package workflow.

Configure an upstream source in your Cloudsmith repository. Cloudsmith will automatically fetch and cache Conda packages from any public channel you choose, including:

: `https://conda.anaconda.org/conda-forge`

Ready to centralize your Conda package management? See our 

Proxy and cache packages from public Conda channels

, the Client Logs and Client Statistics views in the classic web app will remain visible but will no longer receive updated data.

This change is part of our migration to the new 

, where all future improvements to observability and analytics are being delivered.

We have released several recent improvements for log observability. To view the latest information, you can use Client Logs in our 

 are also available if you need to access this data in your own observability stack.

For more information on Client Logs in the new web app, you can 

Learn more about the new enhancements to Client Logs 

, which is built on our latest data pipeline. If you have any questions about this migration, or need help making the switch, please 

Deprecation: Client Logs and Client Statistics in the classic web app

We’ve added a new policy action to Enterprise Policy Manager (EPM): 

. This enables reversible tagging workflows - for example, if a package was previously tagged as risky due to a CVE policy violation but is later cleared because the CVE was withdrawn, downgraded, or assessed as low risk and approved for continued use, you can now remove that tag automatically.

Configure an EPM policy to remove specific tags through the UI or API.

Remove any mutable tag, whether it was added by a policy or manually by a user.

With this addition, you can now create policies that 

both apply and remove tags as conditions change

, enabling policies that keep tags in sync with the current state of risk. 

👉 Learn how to build a security tagging workflow in the 

Remove Tag policy action added to Enterprise Policy Manager

We’ve improved how Docker images are displayed and navigated in the web app, making it easier to work with tags, architectures and metadata to quickly find what you need.

: An architecture column has been added to the packages table on the packages overview (image 1), and a dropdown on each image overview lets you switch between architectures (image 2).

 Docker tags are shown in a separate component on the image overview (image 2), making them easier to browse and select.

: Package pages now surface richer details, including 

​​These improvements help you quickly find what you need and give clearer insights into an image’s content and supply chain integrity, and are available today in the web application today. 

Improved Docker experience in the Cloudsmith web app

Cloudsmith now displays Docker image signatures and SBOMs (Software Bill of Materials) directly in the web app, giving you greater trust and visibility into the images you use.

SBOMs and signatures have been available through the API to enable client-side verification, but this update makes them directly accessible and easier to inspect in the web app.

 list every dependency, version, and license inside a Docker image, helping you understand what’s in your software supply chain.

 let you verify authenticity with Cosign, including viewing ECDSA key details and checking packages against a trusted public key.

improvements to Docker images in the web app

. All of these enhancements are available today for customers using Docker images in Cloudsmith. 

Verify and inspect Docker images

You can now host and distribute your machine learning (ML) models and datasets using Cloudsmith. This brings the same security, governance, and cloud-native performance you already rely on for packages, containers, and binaries to your AI workflows.

: Push and pull public or private models, datasets, and related assets with the standard 

 public models and datasets from the Hugging Face Hub for improved reliability and speed.

to fit your workflows. Store models alongside containers and packages, or separate them into dev, staging, and production.

 with fine-grained permissions for who can view or distribute models. 

 on security, quality, and compliance using Enterprise Policy Management.

ML Model Registry

You can now use quick filters in the package vulnerability view to filter Common Vulnerabilities and Exposures (CVEs) by severity.

The view will still default to ordering vulnerabilities by severity — with Critical issues at the top — but quick filters make it easier to filter directly for High, Medium, Low, or Unknown severities. This helps security teams quickly triage and prioritize, especially when working with artifacts that may have a high number of CVEs (for example, Docker images where the base image alone may contribute a large number). 

Filter CVEs by severity in the package vulnerability view

Cloudsmith now detects malicious packages using data from 

 open source packages designed to attack your supply chain before they reach your builds or customers.

 looks inside a package for known signatures, whereas malicious package detection focuses on packages that are harmful by design — for example, those created to mimic legitimate dependencies or trigger unsafe install behaviors. Together, these capabilities provide broader defense in depth across your repositories.

Here’s how malicious package detection works in Cloudsmith:

: The malicious packages dataset is ingested into Cloudsmith and integrated into Continuous Security.

: Packages in your repositories are regularly evaluated against this dataset.

: Enterprise Policy Management (EPM) lets you define policies to automatically quarantine or block flagged packages.

Malicious package detection

You can now use Cloudsmith’s package search syntax to refine the scope of your repository's retention rules when configuring them via the Cloudsmith web application and via the Cloudsmith Terraform provider. This functionality builds on the existing support to 

scope retention rules by package search syntax via the API

, and makes it easier to target exactly which packages to keep or remove.

To start using it via the web application, browse to your repository Settings, and click Retention Rules. Use the 

Retention rules: Refine scope with package search syntax via web app and Terraform provider

, a refreshed and re-architected documentation website for Cloudsmith. 

We believe that good documentation is an essential component of a great product. Our documentation helps new developers get started with Cloudsmith, and enables customers to get the most value from our platform. 

Our new documentation website has better content and simpler navigation, and reflects the design of our web app.

We've added and improved dozens of pages on 

. It is now the best guide to using Cloudsmith

The old documentation site will remain available 

, at which point old docs will redirect to new versions on 

We will continue to make updates to our old documentation website, 

We are migrating knowledge base content from our 

, we believe in collective ownership of documentation. That’s why we’ve housed the source text for our docs in 

, which is editable by our customers, partners, and developers.

 you'll see a View in GitHub button, so you can edit pages directly, and issue pull requests to improve our docs. We'll review all edits and suggestions, and merge them regularly.

As always, if you have any questions, please 

Cloudsmith Changelog