By default, Cloudsmith assigns the latest dist-tag to the package with the highest semantic version number, which may not match what the upstream registry considers latest.
A new per-repository setting, npm upstream tags take precedence, lets upstream distribution tags (dist-tags) override Cloudsmith’s semantic versioning (SemVer)-based tag assignment.
When enabled, Cloudsmith's npm metadata logic still uses SemVer as the baseline, then checks for the latest dist-tag in the upstream registry. The upstream tag is applied as an override only if the corresponding version is present within the versions available to the client. If the version is not available (which can be affected by index policy controls, like cooldown policies), the latest tag defaults to the semantically highest available version.
npm users who want to closely replicate npm upstreams. For example, engineering teams who:
You can configure upstream tag precedence for a repository by setting "npm_upstream_tags_take_precedence": true via the API, or by enabling the npm upstream tags take precedence option in the repository settings form:
For more information, see Upstream tag precedence in the Cloudsmith documentation.
A cooldown policy now filters non-compliant package versions from the repository index before package managers ever see them. This provides both security control and a better developer experience: clean resolution to the next compliant version, no build failures, and no waiting…
Cloudsmith CLI Action v1 is now deprecated. Security-only patches will continue until 31st December 2026, after which v1 reaches end-of-life (EOL). Migrate to v2 before 31st December 2026 to avoid disruption…
We're rolling out improvements to how Cloudsmith evaluates relational version ranges across the platform to ensure clearer and more predictable results for semantic version searches and version-based ordering…
Private Broadcasts lets you put your brand front and center throughout the entire distribution experience, distributing software securely to your partners, customers and internal users through your own branded portal. Full customization and built-in analytics give you control over the experience and visibility into adoption, while entitlement tokens keep access tightly managed, so your software reaches exactly the right people…
Multi-select package actions now support delete. Select up to 100 packages and remove them in a single action. Deleted packages will be moved to recently deleted packages for 7 days…
Cloudsmith has always retained deleted packages for 7 days before permanently removing them — but until now, restoring a deleted package required contacting Cloudsmith support. The new “Recently deleted packages” view lets your team find and restore packages directly, whether they were removed manually, by a retention rule, or via a bulk action, without raising a support request…