 to support native Azure DevOps OIDC authentication. You can now authenticate pipelines using the Azure DevOps built-in issuer, completely removing the dependency on Microsoft Entra (Azure AD) App Registrations.

OpenID Connect (OIDC) is the gold standard for pipeline security, utilizing short-lived tokens and granular claims. Previously, adopting OIDC in Azure DevOps was complex, requiring the creation of a Microsoft Entra App and the management of static secrets like client and tenant IDs. This dependency often blocked DevOps teams, forcing them to wait on elevated IT or security permissions just to configure a build pipeline.

This update removes that friction entirely. By leveraging the native Azure DevOps issuer, teams can now achieve a "zero-config" setup that bypasses Entra App Registrations. This restores autonomy to DevOps engineers, allowing them to self-serve secure authentication configurations directly within the pipeline while maintaining strict security standards.

To adopt the new flow, create an OIDC provider in Cloudsmith with the Provider URL 

Native OIDC authentication for Azure DevOps

 to capture error events, giving platform engineering teams the critical information needed to troubleshoot build issues on behalf of their teams.

 only displayed successful activity, so it could be challenging to manually piece together context when errors occurred. With this update, Cloudsmith provides more comprehensive observability into your software supply chain. By surfacing requests that result in an error alongside successful ones, your team gains a centralized view of system health, making it easier to spot trends and resolve issues quickly.

: In addition to the status code, logs capture key request details including method, path, timestamp, user agent, IP address, and location.

This feature is available now in the Cloudsmith web app for customers using 

. Error logs will also soon be available in your Cloudsmith client log exports; please 

Troubleshoot failed download requests with client error logs

, Cloudsmith will no longer store historical scan results from Trivy scans; only the latest scan results from Trivy scans for each package will be available.

This change affects historical data that is 

. Historical scan results are not displayed in the Cloudsmith web app. Usage analysis indicates that no customers currently access this historical data. If you interact with our vulnerability endpoints today, you are likely already focusing on the latest scan results, which will remain fully accessible.

We are removing this unused data to improve platform performance and prepare for upcoming security features.

 Historical scan data accounts for a large portion of our database size. By removing this unused historical data, we will improve response times for package search endpoints.

 This cleanup supports our transition to 

 in 2026. Continuous Security will replace Trivy scans with an hourly feed that automatically matches new threats to your artifacts, providing faster and more accurate security insights.

The vulnerability API endpoints listed below will remain active and still return a list. The only change in behavior is that the data returned will be the 

 scan result for a package, rather than historical scans.

https://docs.cloudsmith.com/api/vulnerabilities/namespace/list

https://docs.cloudsmith.com/api/vulnerabilities/package/list

https://docs.cloudsmith.com/api/vulnerabilities/read

https://docs.cloudsmith.com/api/vulnerabilities/repo/list

For more information on the upcoming Continuous Security features, please read our 

. If you have any questions or concerns about this upcoming change, please 

Deprecating historical scan results retention

 is now available in Early Access, providing a secure solution for distributing proprietary software, such as internal SDKs, libraries, and premium commercial content. Backed by our global software distribution infrastructure and integrated directly into Cloudsmith, Private Broadcasts provides a custom, branded 

 distribution portal. This ensures customers and partners can easily access your packages, with authentication managed exclusively through entitlement tokens.

 Safely share internal tools with your team or deliver premium artifacts to paying customers, with access managed via Cloudsmith entitlement tokens.

 Use Access Links to provide a one-click method for users to authenticate, removing the need to manually enter secret keys.

 (Ultra & Enterprise) Customize your distribution portal with a custom URL, company logo, and colors for a cohesive user experience.

 Users can download packages via the web or standard native tooling, ensuring they can consume software in familiar ways.

If you would like to try this feature, please 

Introducing Private Broadcasts for secure software distribution

 command to the Cloudsmith CLI, enabling users to programmatically retrieve packages from repositories. This command provides advanced filtering, bulk operations, and pre-execution validation features.

This update resolves the prior friction created by the lack of a native download utility, eliminating the need for manual web UI downloads or complex 

 command is designed for flexible and automated artifact fetching:

 Automatically finds the latest version of a package by name across all repository versions.

 Supports filtering based on metadata such as 

 flag to download all associated package assets (e.g., sources, javadoc, SBOMs).

 Define a custom output directory for downloads using the 

 option, particularly useful for bulk operations.

 capability to see exactly which files would be downloaded without initiating the transfer.

Below are practical examples illustrating the command's flexibility:

 for Cloudsmith. This is NOT a package manager pull command. Unlike tools such as docker pull, npm install, or pip install, this command 

Install packages into your local environment

Manage dependencies or perform package resolution

Set up package registries or configure local tooling

Its function is to transfer the package files (binaries, archives, etc.) to your local filesystem for manual use, inspection, or further processing.

If you have feedback or questions about the Cloudsmith CLI, please 

Download command added to the Cloudsmith CLI

We've significantly enhanced the Cloudsmith Terraform Provider with new 

New data sources have been added to allow customers to retrieve information about their organization's configuration (like a 

 request), enabling the creation of more complex Terraform code based on specific outputs:

 resource now supports several new upstream formats:

For more information, including examples and documentation on all resources, please visit:

https://registry.terraform.io/providers/cloudsmith-io/cloudsmith/latest/docs

New data sources and expanded upstream support added to the Cloudsmith Terraform Provider

Cloudsmith now provides official upstream proxying and caching support for 

 in your npm repositories. This integration enables customers to use Cloudsmith as the primary, secure distribution platform for Chainguard’s malware-resistant, built-from-source JavaScript dependencies.

 Use Cloudsmith as the single source of truth for all npm dependencies, including Chainguard Libraries, ensuring reliability and high availability.

 Gain detailed information and consumption metrics on all package requests and versions in use (including from Chainguard Libraries) through Cloudsmith.

 Leverage Cloudsmith policies to govern what packages flow to users/pipelines, and utilize Cloudsmith’s built-in 

 Chainguard's dependencies are built using their hardened 

, providing verifiable software provenance.

The Chainguard Libraries for Javascript repository only includes libraries built by Chainguard from source. For full coverage, we recommend a dual-upstream configuration to allow for a fallback to the public registry.

Chainguard Libraries for Javascript Upstream (Priority 1)

 Add the Username and Password value from your Chainguard Libraries access settings.

Public npm Registry Upstream (Priority 2 - Fallback)

 for packages not available in Chainguard, ensuring the most secure and reliable consumption workflow possible.

Upstream Support for Chainguard Libraries for Javascript (npm)

 flag to the Cloudsmith CLI, which simplifies your automation scripts by eliminating the need for pagination logic. Previously, fetching large datasets required looping to iterate through 

. Now, the CLI automatically handles the underlying pagination, fetching every requested item and returning the full list instantly. This lets you simplify your scripts and maintain less code.

 flag to the following commands that support pagination:

Simplify your automations with the new show all flag

We've improved how package statuses are displayed and managed across the Cloudsmith web app to help you 

quickly understand if a package or container is available, safe, and compliant.

We have removed the status flag that indicated a package matched a policy, as this information describes an automation outcome and not a fixed status.

We have consolidated all initial processing and scanning statuses that occur before package availability under a single 

Vulnerability and quarantine statuses have been removed from the Tags column; this information is now communicated directly through the main package status indicator.

We’ve added additional status details in the tooltip when a package has an error or is quarantined.

We've updated the color scheme and icons for consistency and clarity:

: Indicates the package is available but there are 

 and is unavailable. (Red will also be used to indicate malware in future updates.)

These updates apply uniformly across the platform, including package lists in workspaces and repositories, compliance pages, and individual package detail pages.

Improvements to package status indicator in the web app

 field to packages in Cloudsmith, extending 

This feature allows you to create retention rules that automatically clean up packages in your repository based on usage, rather than just age or count, ensuring you retain only actively used packages.

 field is available for use in package queries when setting up or modifying retention rules via the Cloudsmith UI, API and Terraform provider. This field is also exposed in the API and UI, and can be used for general package search filtering.

If you want to set up a retention rule that automatically deletes packages older than a year, you can include the following package filter in your retention rule:

This functionality is not currently available for Docker images, but Docker support is planned for an upcoming release. Additionally, if a package is only proxied through Cloudsmith and never downloaded from the cache afterward, its total downloads will be 0, and the 

Cloudsmith Changelog