Packages from Debian, Alpine, PyPI, and other ecosystems that use native version ranges are now matched against a broader set of OSV advisories, building on existing coverage for SemVer-based ranges.

Users with active vulnerability policies that use the 

 dataset may see more policy matches than before. This is expected: your policies are now being evaluated against a more complete set of advisories. It's broader coverage, not noise.

 for more information on how to access the OSV.dev dataset to create your vulnerability policies.

Vulnerability detection now covers ecosystem-native OSV advisories

Two additional policy evaluation triggers are now available, ensuring that policies are enforced consistently across repositories without manual intervention.

Policy evaluations will now also trigger when:

A policy or policy action is created, edited, or deleted.

 Any change to your policy configuration immediately re-evaluates affected packages against the updated ruleset, so your policy coverage stays current without manual intervention.

 Any package that has not been evaluated against policies within the last 12 hours is automatically picked up for evaluation. This scheduled sweep runs every 12 hours, closing the gap for packages that may have been missed by event-driven triggers or that rely on a time-based value to determine what action to take.

These additional triggers are being rolled out to all early access customers over the next few weeks. They apply to policy-as-code configurations and do not affect legacy policies. An increase in policy matches is expected during this period as packages that were previously unevaluated are assessed for the first time.

These additional triggers complement the existing set, which includes package upload, resync, copy, manual scan, recurring scan, and when Cloudsmith receives updated package data, such as Common Vulnerability Scoring System (CVSS) or Exploit Prediction Scoring System (EPSS) updates.

More events now trigger policy evaluations

A cooldown policy now filters non-compliant package versions from the repository index before package managers ever see them. This provides both security control and a better developer experience: clean resolution to the next compliant version, no build failures, and no waiting.

Malicious packages typically live in public registries for hours before detection. In that window, automated CI/CD pipelines can pull them straight into customer builds. A package cooldown policy closes that gap by enforcing a minimum age requirement on packages before they're available to install.

Previously, cooldowns were enforced at the point of download, meaning a build requesting a version still within the cooldown window would fail to resolve. Now, we’ve moved enforcement to the repository index, filtering out non-compliant versions before package managers see them. Builds resolve cleanly to the first available compliant version, with no iterative build failures.

Non-compliant package versions are filtered automatically:

 Package managers only ever see versions that meet your policy requirements.

 Builds succeed without retries, failures, or workarounds. Developers don't need to worry about the impact of having a cooldown policy in effect.

Enforcement is server side and enterprise wide:

 Security teams configure policies once in Cloudsmith, applied consistently across every consumer of the registry, no per-client configuration required.

 (for example, 3 days) for the repositories and formats you want to protect.

When a package manager requests the index, Cloudsmith evaluates every version against the policy in real time.

 are filtered from the index, and the package manager 

automatically resolves to the first available compliant version

This feature is available in Early Access for Ultra and Enterprise customers.

 to request early access or register interest in additional format support.

Cooldown policies now prevent builds from seeing non-compliant packages

 now support delete. Select up to 100 packages and remove them in a single action. Deleted packages will be moved to 

Delete up to 100 packages at once with multi-select

We've made a series of usability improvements to 

If you haven't yet configured an upstream on a repository, a new streamlined setup makes it easy to connect to one in a single click.

An error tag is now displayed in the table if an upstream encounters a problem, such as invalid credentials or an unreachable address. Connectivity issues are also surfaced directly in the upstream status column.

Each row in the upstreams table now shows the number of indexed packages, and can be expanded to reveal further detail — including the last indexed timestamp, GPG key details, and distributions.

A reindex action is now available for each upstream.

Upstreams can now be updated without re-entering a password when authentication is enabled.

The upstreams table is now sorted in priority order.

For even greater insight into upstream activity, see 

Track and troubleshoot upstream requests with logs

Set up and monitor upstreams more effectively

 to sunset our old documentation website. The old website has now been retired, and redirects are in place to our 

Today we're releasing an improved search experience on the new docs site. Search is now more prominent in the user experience. Results are much more accurate, and organized into helpful categories - showing results from core documentation, handy guides, and our API reference. As ever, if you have any feedback please 

Improved search experience in Cloudsmith documentation

We’ve updated the Cloudsmith web app with several improvements to streamline your daily workflow and provide better visibility into your account usage.

 The Usage Limits UI now displays your maximum account capacity alongside current consumption, providing a more accurate picture of your remaining limits at a glance.

 When viewing package groups, packages are now sorted by version number in descending order. The most recent and relevant versions are now automatically positioned at the top of the list.

 Users attempting to log in via username/password when SAML is enforced will now receive clear guidance to use SSO, reducing confusion and failed login attempts.

 A new alert will now warn you before you navigate away from a page with unsaved changes, preventing accidental data loss.

 Form validation now provides real-time error messages (such as character limits) within the form. This allows you to fix issues immediately without waiting for a failed submission message.

Recent quality of life improvements in the Cloudsmith web app

We’ve rolled out a suite of updates to 

 to help you deliver a more professional, secure, and transparent experience to your end users.

: Ultra and Enterprise customers can now remove Cloudsmith branding from their portal. Keep your brand front and center with a fully white-labeled interface.

 Docker tags are now visible directly within the package table and details page, providing full context at a glance for faster discovery.

 GPG fingerprint information is now displayed prominently, giving your users immediate confidence in the security and integrity of every package they install.

No more guessing with long version numbers

: Tooltips now display the full version string on hover, ensuring you can identify the exact package you need without confusion.

 are now generally available for all customers. If you're interested in distributing proprietary software securely, 

Recent improvements to Broadcasts

 is “honesty and transparency.” To ensure we’re living up to that value, we’ve given the 

 an overhaul. When Cloudsmith services experience an incident, we want you to know exactly how it impacts your builds, your deployments, and your teams.

This update provides a more granular and organized view of system health from our customers’ perspective, aligning our status reporting directly with the specific workflows you run every day.

To provide a more accurate view of operations and make the impact of incidents easier to understand at a glance, we have made the following structural changes:

: We have updated component names to better reflect the actions occurring within the platform:

Package Upload Processing → Package Uploads

Package Distribution → Package Downloads

Client Logs / Audit Logs export → Audit & Client Log Exports

: We have added new service areas for Security Scanning, Continuous Security, Upstreams, Broadcasts, and Integrations.

: These are now separated into the Cloudsmith Web App (app.cloudsmith.com), Legacy Web App (cloudsmith.io), Broadcasts, Blog, and Help & Documentation.

 These are now grouped together for clarity, including Webhooks, Audit & Client Log Exports, Datadog, and OpenID Connect.

: Each component now features a hover description to explain its function.

Slack & RSS: Subscribers will continue receiving all notifications exactly as before.

Email: Subscriptions will work with the updated component names. However, because we have added new components, 

 to subscribe to these new areas (like Security Scanning) to ensure you receive alerts for them.

We’d love to hear your questions or comments about these changes - just 

Get a more granular view of incident impact with Cloudsmith’s reorganized Status Page

 to support native Azure DevOps OIDC authentication. You can now authenticate pipelines using the Azure DevOps built-in issuer, completely removing the dependency on Microsoft Entra (Azure AD) App Registrations.

OpenID Connect (OIDC) is the gold standard for pipeline security, utilizing short-lived tokens and granular claims. Previously, adopting OIDC in Azure DevOps was complex, requiring the creation of a Microsoft Entra App and the management of static secrets like client and tenant IDs. This dependency often blocked DevOps teams, forcing them to wait on elevated IT or security permissions just to configure a build pipeline.

This update removes that friction entirely. By leveraging the native Azure DevOps issuer, teams can now achieve a "zero-config" setup that bypasses Entra App Registrations. This restores autonomy to DevOps engineers, allowing them to self-serve secure authentication configurations directly within the pipeline while maintaining strict security standards.

To adopt the new flow, create an OIDC provider in Cloudsmith with the Provider URL 

Cloudsmith Changelog