 to capture error events, giving platform engineering teams the critical information needed to troubleshoot build issues on behalf of their teams.

 only displayed successful activity, so it could be challenging to manually piece together context when errors occurred. With this update, Cloudsmith provides more comprehensive observability into your software supply chain. By surfacing requests that result in an error alongside successful ones, your team gains a centralized view of system health, making it easier to spot trends and resolve issues quickly.

: In addition to the status code, logs capture key request details including method, path, timestamp, user agent, IP address, and location.

This feature is available now in the Cloudsmith web app for customers using 

. Error logs will also soon be available in your Cloudsmith client log exports; please 

Troubleshoot failed download requests with client error logs

 command to the Cloudsmith CLI, enabling users to programmatically retrieve packages from repositories. This command provides advanced filtering, bulk operations, and pre-execution validation features.

This update resolves the prior friction created by the lack of a native download utility, eliminating the need for manual web UI downloads or complex 

 command is designed for flexible and automated artifact fetching:

 Automatically finds the latest version of a package by name across all repository versions.

 Supports filtering based on metadata such as 

 flag to download all associated package assets (e.g., sources, javadoc, SBOMs).

 Define a custom output directory for downloads using the 

 option, particularly useful for bulk operations.

 capability to see exactly which files would be downloaded without initiating the transfer.

Below are practical examples illustrating the command's flexibility:

 for Cloudsmith. This is NOT a package manager pull command. Unlike tools such as docker pull, npm install, or pip install, this command 

Install packages into your local environment

Manage dependencies or perform package resolution

Set up package registries or configure local tooling

Its function is to transfer the package files (binaries, archives, etc.) to your local filesystem for manual use, inspection, or further processing.

If you have feedback or questions about the Cloudsmith CLI, please 

Download command added to the Cloudsmith CLI

We've significantly enhanced the Cloudsmith Terraform Provider with new 

New data sources have been added to allow customers to retrieve information about their organization's configuration (like a 

 request), enabling the creation of more complex Terraform code based on specific outputs:

 resource now supports several new upstream formats:

For more information, including examples and documentation on all resources, please visit:

https://registry.terraform.io/providers/cloudsmith-io/cloudsmith/latest/docs

New data sources and expanded upstream support added to the Cloudsmith Terraform Provider

Cloudsmith now provides official upstream proxying and caching support for 

 in your npm repositories. This integration enables customers to use Cloudsmith as the primary, secure distribution platform for Chainguard’s malware-resistant, built-from-source JavaScript dependencies.

 Use Cloudsmith as the single source of truth for all npm dependencies, including Chainguard Libraries, ensuring reliability and high availability.

 Gain detailed information and consumption metrics on all package requests and versions in use (including from Chainguard Libraries) through Cloudsmith.

 Leverage Cloudsmith policies to govern what packages flow to users/pipelines, and utilize Cloudsmith’s built-in 

 Chainguard's dependencies are built using their hardened 

, providing verifiable software provenance.

The Chainguard Libraries for Javascript repository only includes libraries built by Chainguard from source. For full coverage, we recommend a dual-upstream configuration to allow for a fallback to the public registry.

Chainguard Libraries for Javascript Upstream (Priority 1)

 Add the Username and Password value from your Chainguard Libraries access settings.

Public npm Registry Upstream (Priority 2 - Fallback)

 for packages not available in Chainguard, ensuring the most secure and reliable consumption workflow possible.

Upstream Support for Chainguard Libraries for Javascript (npm)

 flag to the Cloudsmith CLI, which simplifies your automation scripts by eliminating the need for pagination logic. Previously, fetching large datasets required looping to iterate through 

. Now, the CLI automatically handles the underlying pagination, fetching every requested item and returning the full list instantly. This lets you simplify your scripts and maintain less code.

 flag to the following commands that support pagination:

Simplify your automations with the new show all flag

. This enables you to define policies that automatically quarantine new packages for a specific time period (e.g., two weeks) after release.

Implementing policies that delay package use is an effective safeguard to protect against zero-day attacks. Enforcing a time lag before consuming a new package or package version gives the community time to find and flag any problems and for intelligence feeds to get updated.

A policy that quarantined npm packages published in the past two weeks 

would have protected organizations during the September 8, 2025 npm attack

 which compromised widely used packages like 

Within two hours, the community had flagged the problem, but automated CI/CD pipelines had already downloaded the latest versions, the ones containing the malicious code.

When used alongside an EPM policy in Cloudsmith to block or quarantine all known malicious packages, you’ll have protection against zero-day attacks and known malicious packages, ensuring these packages never make it into your software supply chain. For more security rules, check out our 

The following Rego code defines a policy that matches and quarantines npm packages whose upstream publish date is within the last 

Upstream publish date is available for npm packages

, with additional formats coming soon. Learn more in the Enterprise Policy Manager 

Enforce vetting for npm packages with publish date policies

Cloudsmith’s Enterprise Policy Manager (EPM)

 data to enable powerful, component-level policies for Docker and OCI container images.

This upgrade extends EPM policy enforcement beyond basic package metadata to the internal components of an image, giving you more control over the composition of containers used within your organization.

With SBOM data, you can now apply EPM policies based on:

 Target specific components by name or other attributes.

 Enforce license compliance by applying rules based on the licenses of any component within the container.

Cloudsmith generates CycloneDX SBOMs for every Docker image or container image uploaded to Cloudsmith.

The SBOM data is made available within the EPM schema (input.v0.sbom field) in the native CycloneDX Bill of Materials JSON format.

You can use any of the available fields in the JSON file to create your own policies. In addition to exploring the schema, 

All standard EPM actions (including block, quarantine and tag) are available when creating policies based on SBOM data.

Here is a simple policy to enforce a strict set of allowed licenses:


This capability is in Early Access, available to Ultra and Enterprise customers via Enterprise Policy Manager. Learn more in the Enterprise Policy Manager 

Get more control over containers with SBOM-based policies in EPM

Monitoring the software licenses in use across your organization is critical. Stripping out dependencies that can't be incorporated into commercial software, or don't conform to your corporate licensing policies, is expensive and time consuming. Getting early visibility over software licenses in use by your teams is the goal.

Cloudsmith's web app now gives you a breakdown of your packages by license, and lists packages with no apparent software license. 

If you're a workspace Owner or Manager, you'll find software license information under Compliance at both a workspace and repository level. You'll see a breakdown of packages by license, with quick filters showing packages with 

. You can also edit and override  license information associated with a specific package if required.

Software license dashboard added to the web app

You can now use Cloudsmith to proxy and cache packages from public Conda channels (upstreams). This update helps you maintain a single, reliable source of truth for all your Conda packages, combining your private packages with cached versions of the public upstreams you depend on.

This is ideal for any team using Conda who wants the speed, security, and control of Cloudsmith across their entire package workflow.

Configure an upstream source in your Cloudsmith repository. Cloudsmith will automatically fetch and cache Conda packages from any public channel you choose, including:

: `https://conda.anaconda.org/conda-forge`

Ready to centralize your Conda package management? See our 

Proxy and cache packages from public Conda channels

We’ve added a new policy action to Enterprise Policy Manager (EPM): 

. This enables reversible tagging workflows - for example, if a package was previously tagged as risky due to a CVE policy violation but is later cleared because the CVE was withdrawn, downgraded, or assessed as low risk and approved for continued use, you can now remove that tag automatically.

Configure an EPM policy to remove specific tags through the UI or API.

Remove any mutable tag, whether it was added by a policy or manually by a user.

With this addition, you can now create policies that 

both apply and remove tags as conditions change

, enabling policies that keep tags in sync with the current state of risk. 

👉 Learn how to build a security tagging workflow in the 

Cloudsmith Changelog