We have updated the repository URL structure on the web app to disambiguate repositories from other static routes. This change applies only to the new web app.

app.cloudsmith.com/[WORKSPACE]/[REPOSITORY]/

app.cloudsmith.com/[WORKSPACE]/r/[REPOSITORY]/

We have set up redirects from the old path to the new one. This means if you have a bookmark to a repository, this link will automatically redirect you to the new URL.

New URL structure for repositories on the web app

Builds are now faster with support for parallel artifact uploads during 

Maven 3.9.12 enabled parallel deployment by default, which previously caused a race condition resulting in incomplete packages or synchronization errors. We updated our platform to support these concurrent requests, ensuring stability and reducing total build times.

This update is active for all customers using Maven 3.9.12 or later. No configuration changes are required.

Support for Maven parallel deployment

Public Broadcasts make it easier than ever to deliver software to your end users through a branded, trustworthy, and developer-friendly distribution experience.

Broadcasts allow you to distribute artifacts directly from your Cloudsmith repositories using a polished, customizable user interface that reflects your brand, integrates with native developer tooling, and provides visibility into how your software is being adopted.

 Present your software through an interface that matches your company’s identity. Use your logo, colors, and a custom domain to ensure end users experience a familiar, professional interface when deciding to install your software.

 Eliminate the guesswork from distribution. Gain real-time insights into which versions are being downloaded and how adoption trends change over time.

 Broadcasts integrate seamlessly with native developer tooling, allowing users to fetch packages via their preferred CLI or CI/CD tools—no friction, no workarounds.

 Turn any existing Cloudsmith repository into a professional public distribution portal in seconds. No need to build, host, or maintain custom download pages.

Since the initial Early Access release, we’ve added several features to further refine the distribution experience:

, including architecture and distribution information, is now available on Broadcasts.

 with improved installation documentation to help users get started faster.

, making it easier to share open-source projects and artifacts.

 to start broadcasting today from any existing Cloudsmith repository. 

Public Broadcasts are now generally available

Cloudsmith now provides a reference implementation guide for Amazon SageMaker. This resource demonstrates how to utilize Cloudsmith as a secure, central hub for the Hugging Face models, Docker images, and Python packages required for machine learning workflows.

AI/ML supply chains are often fragmented; relying on unmanaged public sources for models and dependencies introduces security risks and build instability. This guide provides a blueprint for moving ML artifacts into a private, governed environment without disrupting the SageMaker development experience.

This release provides a reusable set of instructions and scripts designed to be embedded directly into your existing SageMaker workflows.

 Use Cloudsmith to proxy and cache Hugging Face models, ensuring consistent availability for SageMaker training jobs.

 Consolidate Python packages and Docker containers within Cloudsmith to create a single source of truth for SageMaker environments.

 Implementation examples cover how to configure SageMaker to authenticate and fetch artifacts securely during execution.

The implementation guide and code samples are available in our public repository:

For detailed setup instructions, refer to the

Secure ML workflows with Cloudsmith and Amazon SageMaker

We are extending the sunset timeline for the Cloudsmith classic web app. While we previously 

the classic app will now remain available through the second half of 2026.

 - our primary platform- delivers a seamless experience that supports your core workflows. We are taking this extra time to close remaining feature gaps and refine the platform based on your feedback.

Some key features coming to the new web app include:

 A new, scalable replacement for public and open-source repositories. (Currently in early access, with full release scheduled for January 2026.)

 A comprehensive log of all package-related events and activities for any repository.

 Increase efficiency by allowing you to take action on multiple packages simultaneously.

 The ability to sign into Cloudsmith seamlessly using your existing accounts from GitHub, GitLab, Google, Amazon, and Microsoft.

We are committed to a transparent transition. 

We will provide a finalized sunset date and detailed migration resources well in advance of the retirement. In the meantime, we encourage you to continue using the new web app and sharing your feedback; your input is directly shaping these final improvements.

Timeline to sunset the classic web app extended to the second half of 2026

 runtime and updates default OIDC audience claims to align with modern security standards.

This is a major version release to prevent breaking changes for users pinned to 

. While core CLI functionality remains unchanged, environment requirements and OIDC defaults have been updated to ensure long-term compatibility and improved security.

 GitHub automatically provides the necessary runtime; no user intervention is required.

 You must ensure Node 24+ is installed on your environment to run 

 Support for Node 20 is now deprecated in this major version. We will continue to maintain 

 until the Node 20 End-of-Life (EOL) scheduled in 

 input has been updated to provide organization-specific audience claims, increasing the security of the OIDC exchange.

f your existing OIDC trust configuration relies on the legacy 

 claim, you must either update your validation logic within Cloudsmith or explicitly set 

oidc-audience: 'api://AzureADTokenExchange'

 in your workflow YAML to maintain current behavior.

For a detailed list of all technical commits and specific file changes, please refer to the 

CLI GitHub Action v2.0.0

A crucial part of effective package management is package distribution. Whether you are dealing with distributed teams or deploying global applications, you need efficient, reliable delivery - anywhere in the world.

To support this, we are continuing to expand our global footprint and are now live in Tokyo.

: We have upgraded our edge infrastructure in APAC. Unlike standard CDNs, Cloudsmith’s PDN is context-aware and optimized specifically for software artifacts.

: Users and build pipelines in Asia will experience faster throughput.

: We now handle authentication logic directly at the Tokyo edge node. This significantly reduces round-trip times for "chatty" protocols (like Maven, NuGet, or Docker) by validating credentials locally rather than routing back to the origin.

: For organizations with strict data residency requirements, you can now explicitly select Tokyo as your storage region. This ensures your data rests physically within Japan, satisfying local compliance needs.

The Tokyo region is available when creating a new repository, and all customers will automatically experience the performance benefits of our expanded PDN.

Accelerating delivery in APAC: Cloudsmith Tokyo is now live

This update to the Cloudsmith CLI introduces programmatic management for Policy Deny Rules, standardizes pagination parameters across the CLI, and upgrades core dependencies.

The CLI now supports full lifecycle management for Policy Deny Rules, enabling tighter integration with infrastructure-as-code workflows. Users can list, create, update, and delete deny policies directly via the command line.

cloudsmith policy deny create <org> POLICY_CONFIG_FILE

cloudsmith policy deny update <org> POLICY_CONFIG_FILE

 for contributing this feature. We welcome community pull requests and feedback to help drive the CLI forward.

To improve consistency, we have updated how pagination is handled across the CLI.

 is the new standard flag for listing all results, replacing 

 remains available as an alias, so existing scripts will not break. However, we recommend updating to 

 as values to instantly retrieve all results.

 Fixed the entitlement token list command to correctly support the new 

 Resolved a dependency conflict preventing installation on Python 3.9 environments.

For a full summary of changes, please visit the 

CLI v1.10.1: Policy deny rules and usability improvements

You can now download auto-generated Software Bills of Materials (SBOMs) for your Docker and OCI images directly from the Cloudsmith web app. This allows you to instantly export supply chain data for use in analysis tools or alongside release documentation.

Previously, SBOMs generated by Cloudsmith were only accessible via the 

. Instead of scripting an API call to retrieve the manifest for a specific image, you can now grab the 

 file with a single click, making SBOMs accessible to a broader range of users.

Click the Actions menu → "Download SBOM"

Downloads are provided in CycloneDX format.

This feature applies only to SBOMs automatically generated by Cloudsmith during the container image synchronization process.

Cloudsmith automatically generates SBOMs for Docker V2 and OCI V1 images.

​​This feature is live and available immediately for all Docker images. If you have any questions or feedback, please 

Download SBOMs directly from the web app

 is “honesty and transparency.” To ensure we’re living up to that value, we’ve given the 

 an overhaul. When Cloudsmith services experience an incident, we want you to know exactly how it impacts your builds, your deployments, and your teams.

This update provides a more granular and organized view of system health from our customers’ perspective, aligning our status reporting directly with the specific workflows you run every day.

To provide a more accurate view of operations and make the impact of incidents easier to understand at a glance, we have made the following structural changes:

: We have updated component names to better reflect the actions occurring within the platform:

Package Upload Processing → Package Uploads

Package Distribution → Package Downloads

Client Logs / Audit Logs export → Audit & Client Log Exports

: We have added new service areas for Security Scanning, Continuous Security, Upstreams, Broadcasts, and Integrations.

: These are now separated into the Cloudsmith Web App (app.cloudsmith.com), Legacy Web App (cloudsmith.io), Broadcasts, Blog, and Help & Documentation.

 These are now grouped together for clarity, including Webhooks, Audit & Client Log Exports, Datadog, and OpenID Connect.

: Each component now features a hover description to explain its function.

Slack & RSS: Subscribers will continue receiving all notifications exactly as before.

Email: Subscriptions will work with the updated component names. However, because we have added new components, 

 to subscribe to these new areas (like Security Scanning) to ensure you receive alerts for them.

We’d love to hear your questions or comments about these changes - just 

Cloudsmith Changelog