You can now use Broadcasts to distribute your open-source packages, with separate allowances and usage designed to support maintainers and communities building in the open.

Cloudsmith has long supported open-source distribution through OSS repositories. Broadcasts extends that same support into our new web app, letting you create a single, trusted place for users to access your OSS. Cloudsmith’s 

 outlines what’s available, with at least 50GB of artifact data and 200GB of package delivery included for free for open-source distribution.

Usage is tracked separately from your public broadcasts and private repositories.

Broadcasts for open source distribution is now available in Early Access.

Cloudsmith will automatically convert your OSS repositories

 in our documentation. Interested in Early Access for Broadcasts? 

 anywhere Docker is supported - no installation needed. This makes it easier to integrate into containerized workflows and CI/CD systems, where setup speed and consistency matter.

Installing and managing the CLI across environments, especially in CI/CD pipelines, often meant extra setup steps or custom scripts. The official Docker image provides a portable, consistent way to run the CLI in automation workflows without managing local installations.

Official image published on Docker Hub at 

Supports all CLI packaging formats and commands

Designed for use in CI/CD jobs, dev containers, and other container-native environments

Pass credentials as environment variables or mount config files for authenticated commands

Supports all packaging formats and commands available in the CLI

Need a quick way to use the Cloudsmith CLI in CI/CD or containerized environments? This image is the fastest path forward. It’s available now 

Cloudsmith CLI now available as an official Docker image

We have improved sorting and filtering in the new web application, making it easier to manage members, teams and service accounts in Cloudsmith.

Filter members by name, email address, and role

Use new quick filters to easily narrow down your list of users to a specific role

These improvements are also available for:

If you haven’t made the switch, now is a great time to move to the new web app. It’s where all the latest improvements are landing.

Improved sorting and filtering controls in the new web app

 (JSR) Upstreams. The JavaScript Registry is a modern package registry for JavaScript and TypeScript. It works with many runtimes (Node.js, Deno, Bun, browsers, and more) and is backwards compatible with npm. JSR modules can be used with any JavaScript package manager and in any project with a node_modules folder.

JSR doesn’t offer its own private registry functionality, but it can be used as an upstream for existing private npm registries (like Cloudsmith repositories). You can now 

configure your private Cloudsmith repositories

 to pull and cache packages directly from 

), enabling the use of JSR-hosted packages within your internal workflows.

To enable a JSR upstream, follow the next steps:

Browse to your desired registry in your workspace: 

https://app.cloudsmith.com/MY_WORKSPACE/MY_REPOSITORY

Now you are ready to enjoy all the new packages from JSR with Cloudsmith’s control and security. 

Support added for JSR Upstreams

 and other sources directly through Cloudsmith.

Proxying and caching from upstream repositories makes dependency management for your Rust projects faster, more reliable, and more secure.

 and other sources through your Cloudsmith repository. Keep builds secure and consistent by controlling access to all dependencies from a single integration point.

Cache crates to guard against upstream outages and improve download performance. Cached crates will also be scanned for vulnerabilities and license compliance, and you’ll gain visibility into usage.

Rustaceans, you’re good to go. Check out our 

 documentation for the details. If you have feedback or questions, please 

Proxy and cache crates from crates.io with Cloudsmith

Following our announcement last week about our 

, we have released two new feature enhancements.

Modules fetched from proxy.golang.org can now be cached in your Cloudsmith repository.

This allows all your Go modules to be stored and consumed directly from Cloudsmith, enabling vulnerability scanning, license compliance checks, and the ability to apply policies to your Go Modules.

Cloudsmith can now proxy requests to the 

), allowing verification of public Go modules. The global checksum database is a public transparency log containing a list of checksums for every module stored in the Go Module Proxy. This verification method allows you to detect any tampering attempt on your libraries.

Go module caching and checksum verification

Cloudsmith now gives you stronger control over your software supply chain by blocking downloads of any package that doesn’t pass your organization's security and compliance policies, including packages fetched from upstream registries.

Until now, Cloudsmith applied policy enforcement after the first download of a package proxied from an upstream registry. The package would be served immediately, and if the upstream source was configured to proxy and cache, the package would then be scanned and checked for policy violations. This behavior was intentional. It let customers prioritize speed for their developers 

while building workflows that protected production environments from vulnerabilities

. Subsequent requests for the package would be subject to policy checks. 

As awareness of software supply chain risks has grown, customers are now looking to extend the same level of protection to every touchpoint, including developer machines, starting from the very first download.

Now, you can configure Cloudsmith to delay that first download entirely, preventing developers and build tools from downloading a vulnerable or non-compliant package. 

This new enhancement to policy management acts as an important checkpoint option for all proxied package downloads. Here’s how it works:

: Any download request for a package that is not yet in your Cloudsmith repository and needs to be fetched from an upstream source, will be delayed until the package has been scanned, synchronized, and evaluated against your organization and repository policies.

: This feature ensures that only packages that have successfully passed all policy checks can be downloaded by developers or build pipelines, significantly enhancing the integrity and security of the packages served.

We are launching this new option in early access to all current Ultra plan customers to gather valuable feedback from our users and ensure it meets their needs. Your input will be crucial in refining and perfecting this and future enhancements to our policy management features.

 in order to start using this new feature and take your policy management to the next level.

Broadcasts now support open-source projects

Other logs

Cloudsmith CLI now available as an official Docker image

Improved sorting and filtering controls in the new web app

Support added for JSR Upstreams

Proxy and cache crates from crates.io with Cloudsmith

Go module caching and checksum verification

Enforce policies before any package download, even from proxied upstream registries