We've made a series of usability improvements to 

If you haven't yet configured an upstream on a repository, a new streamlined setup makes it easy to connect to one in a single click.

An error tag is now displayed in the table if an upstream encounters a problem, such as invalid credentials or an unreachable address. Connectivity issues are also surfaced directly in the upstream status column.

Each row in the upstreams table now shows the number of indexed packages, and can be expanded to reveal further detail — including the last indexed timestamp, GPG key details, and distributions.

A reindex action is now available for each upstream.

Upstreams can now be updated without re-entering a password when authentication is enabled.

The upstreams table is now sorted in priority order.

For even greater insight into upstream activity, see 

Track and troubleshoot upstream requests with logs

Set up and monitor upstreams more effectively

 to sunset our old documentation website. The old website has now been retired, and redirects are in place to our 

Today we're releasing an improved search experience on the new docs site. Search is now more prominent in the user experience. Results are much more accurate, and organized into helpful categories - showing results from core documentation, handy guides, and our API reference. As ever, if you have any feedback please 

Improved search experience in Cloudsmith documentation

We’ve updated the Cloudsmith web app with several improvements to streamline your daily workflow and provide better visibility into your account usage.

 The Usage Limits UI now displays your maximum account capacity alongside current consumption, providing a more accurate picture of your remaining limits at a glance.

 When viewing package groups, packages are now sorted by version number in descending order. The most recent and relevant versions are now automatically positioned at the top of the list.

 Users attempting to log in via username/password when SAML is enforced will now receive clear guidance to use SSO, reducing confusion and failed login attempts.

 A new alert will now warn you before you navigate away from a page with unsaved changes, preventing accidental data loss.

 Form validation now provides real-time error messages (such as character limits) within the form. This allows you to fix issues immediately without waiting for a failed submission message.

Recent quality of life improvements in the Cloudsmith web app

We’ve rolled out a suite of updates to 

 to help you deliver a more professional, secure, and transparent experience to your end users.

: Ultra and Enterprise customers can now remove Cloudsmith branding from their portal. Keep your brand front and center with a fully white-labeled interface.

 Docker tags are now visible directly within the package table and details page, providing full context at a glance for faster discovery.

 GPG fingerprint information is now displayed prominently, giving your users immediate confidence in the security and integrity of every package they install.

No more guessing with long version numbers

: Tooltips now display the full version string on hover, ensuring you can identify the exact package you need without confusion.

 are now generally available for all customers. If you're interested in distributing proprietary software securely, 

Recent improvements to Broadcasts

 is “honesty and transparency.” To ensure we’re living up to that value, we’ve given the 

 an overhaul. When Cloudsmith services experience an incident, we want you to know exactly how it impacts your builds, your deployments, and your teams.

This update provides a more granular and organized view of system health from our customers’ perspective, aligning our status reporting directly with the specific workflows you run every day.

To provide a more accurate view of operations and make the impact of incidents easier to understand at a glance, we have made the following structural changes:

: We have updated component names to better reflect the actions occurring within the platform:

Package Upload Processing → Package Uploads

Package Distribution → Package Downloads

Client Logs / Audit Logs export → Audit & Client Log Exports

: We have added new service areas for Security Scanning, Continuous Security, Upstreams, Broadcasts, and Integrations.

: These are now separated into the Cloudsmith Web App (app.cloudsmith.com), Legacy Web App (cloudsmith.io), Broadcasts, Blog, and Help & Documentation.

 These are now grouped together for clarity, including Webhooks, Audit & Client Log Exports, Datadog, and OpenID Connect.

: Each component now features a hover description to explain its function.

Slack & RSS: Subscribers will continue receiving all notifications exactly as before.

Email: Subscriptions will work with the updated component names. However, because we have added new components, 

 to subscribe to these new areas (like Security Scanning) to ensure you receive alerts for them.

We’d love to hear your questions or comments about these changes - just 

Get a more granular view of incident impact with Cloudsmith’s reorganized Status Page

 to support native Azure DevOps OIDC authentication. You can now authenticate pipelines using the Azure DevOps built-in issuer, completely removing the dependency on Microsoft Entra (Azure AD) App Registrations.

OpenID Connect (OIDC) is the gold standard for pipeline security, utilizing short-lived tokens and granular claims. Previously, adopting OIDC in Azure DevOps was complex, requiring the creation of a Microsoft Entra App and the management of static secrets like client and tenant IDs. This dependency often blocked DevOps teams, forcing them to wait on elevated IT or security permissions just to configure a build pipeline.

This update removes that friction entirely. By leveraging the native Azure DevOps issuer, teams can now achieve a "zero-config" setup that bypasses Entra App Registrations. This restores autonomy to DevOps engineers, allowing them to self-serve secure authentication configurations directly within the pipeline while maintaining strict security standards.

To adopt the new flow, create an OIDC provider in Cloudsmith with the Provider URL 

Native OIDC authentication for Azure DevOps

We've improved how package statuses are displayed and managed across the Cloudsmith web app to help you 

quickly understand if a package or container is available, safe, and compliant.

We have removed the status flag that indicated a package matched a policy, as this information describes an automation outcome and not a fixed status.

We have consolidated all initial processing and scanning statuses that occur before package availability under a single 

Vulnerability and quarantine statuses have been removed from the Tags column; this information is now communicated directly through the main package status indicator.

We’ve added additional status details in the tooltip when a package has an error or is quarantined.

We've updated the color scheme and icons for consistency and clarity:

: Indicates the package is available but there are 

 and is unavailable. (Red will also be used to indicate malware in future updates.)

These updates apply uniformly across the platform, including package lists in workspaces and repositories, compliance pages, and individual package detail pages.

Improvements to package status indicator in the web app

 field to packages in Cloudsmith, extending 

This feature allows you to create retention rules that automatically clean up packages in your repository based on usage, rather than just age or count, ensuring you retain only actively used packages.

 field is available for use in package queries when setting up or modifying retention rules via the Cloudsmith UI, API and Terraform provider. This field is also exposed in the API and UI, and can be used for general package search filtering.

If you want to set up a retention rule that automatically deletes packages older than a year, you can include the following package filter in your retention rule:

This functionality is not currently available for Docker images, but Docker support is planned for an upcoming release. Additionally, if a package is only proxied through Cloudsmith and never downloaded from the cache afterward, its total downloads will be 0, and the 

Automate repository cleanup based on last download date

You can now better assess a vulnerability's impact by exploring its key details directly within the vulnerabilities table for a package or container. We've introduced an expanded row layout that shows all available information for a specific finding, helping you make more informed decisions about your response.

Additionally, we’ve added CVSS scores from more than one CVE numbering authority (CNA), allowing you to view data from multiple sources - including NVD, the vendor, or another CNA.

Explore vulnerability details to better assess impact

We’ve recently released a set of improvements across the Cloudsmith 

 focused on logs, error messaging, and usability.

: You can now select between UTC and your browser’s local time when viewing both Client Logs and Audit Logs, letting you skip the mental time zone math.

Quick package navigation from Client Logs

: We’ve added a hyperlink to the package name within Client Logs, allowing you to click directly to the package details page. This saves time when investigating package activity.

Independent scrolling of logs table and filters

: On the Client Logs page, you can now scroll the filters panel independent of the logs table, a usability improvement for ensuring you can easily set your filters.

 The application now rounds the wait time in a throttling error message to a whole number, removing overly precise fractions of a second to keep the message clear.

: We’ve polished how Docker tags are displayed throughout the UI for better clarity.

: We fixed a bug where the chevron icon to expand Package Groups was not working correctly for non-Docker images.

 Filters for key:value pairs are no longer case sensitive, making it easier and less error-prone to filter the packages view.

Fixed package Copy/Move after Repo rename

: Resolved an issue that prevented you from moving or copying packages to a repository if the repository's display name had recently been changed.

: For packages that fail to synchronize, the UI now displays detailed information about the sync status failure, giving you better insight into the root cause.

 Service accounts are now correctly listed and visible on the Teams management page.

 We've removed the 255-character limit for Webhook Target Endpoint URLs, giving you more flexibility for your integrations.

Cloudsmith Changelog