Cloudsmith now provides a reference implementation guide for Amazon SageMaker. This resource demonstrates how to utilize Cloudsmith as a secure, central hub for the Hugging Face models, Docker images, and Python packages required for machine learning workflows.

AI/ML supply chains are often fragmented; relying on unmanaged public sources for models and dependencies introduces security risks and build instability. This guide provides a blueprint for moving ML artifacts into a private, governed environment without disrupting the SageMaker development experience.

This release provides a reusable set of instructions and scripts designed to be embedded directly into your existing SageMaker workflows.

 Use Cloudsmith to proxy and cache Hugging Face models, ensuring consistent availability for SageMaker training jobs.

 Consolidate Python packages and Docker containers within Cloudsmith to create a single source of truth for SageMaker environments.

 Implementation examples cover how to configure SageMaker to authenticate and fetch artifacts securely during execution.

The implementation guide and code samples are available in our public repository:

For detailed setup instructions, refer to the

Secure ML workflows with Cloudsmith and Amazon SageMaker

 runtime and updates default OIDC audience claims to align with modern security standards.

This is a major version release to prevent breaking changes for users pinned to 

. While core CLI functionality remains unchanged, environment requirements and OIDC defaults have been updated to ensure long-term compatibility and improved security.

 GitHub automatically provides the necessary runtime; no user intervention is required.

 You must ensure Node 24+ is installed on your environment to run 

 Support for Node 20 is now deprecated in this major version. We will continue to maintain 

 until the Node 20 End-of-Life (EOL) scheduled in 

 input has been updated to provide organization-specific audience claims, increasing the security of the OIDC exchange.

f your existing OIDC trust configuration relies on the legacy 

 claim, you must either update your validation logic within Cloudsmith or explicitly set 

oidc-audience: 'api://AzureADTokenExchange'

 in your workflow YAML to maintain current behavior.

For a detailed list of all technical commits and specific file changes, please refer to the 

CLI GitHub Action v2.0.0

A crucial part of effective package management is package distribution. Whether you are dealing with distributed teams or deploying global applications, you need efficient, reliable delivery - anywhere in the world.

To support this, we are continuing to expand our global footprint and are now live in Tokyo.

: We have upgraded our edge infrastructure in APAC. Unlike standard CDNs, Cloudsmith’s PDN is context-aware and optimized specifically for software artifacts.

: Users and build pipelines in Asia will experience faster throughput.

: We now handle authentication logic directly at the Tokyo edge node. This significantly reduces round-trip times for "chatty" protocols (like Maven, NuGet, or Docker) by validating credentials locally rather than routing back to the origin.

: For organizations with strict data residency requirements, you can now explicitly select Tokyo as your storage region. This ensures your data rests physically within Japan, satisfying local compliance needs.

The Tokyo region is available when creating a new repository, and all customers will automatically experience the performance benefits of our expanded PDN.

Accelerating delivery in APAC: Cloudsmith Tokyo is now live

This update to the Cloudsmith CLI introduces programmatic management for Policy Deny Rules, standardizes pagination parameters across the CLI, and upgrades core dependencies.

The CLI now supports full lifecycle management for Policy Deny Rules, enabling tighter integration with infrastructure-as-code workflows. Users can list, create, update, and delete deny policies directly via the command line.

cloudsmith policy deny create <org> POLICY_CONFIG_FILE

cloudsmith policy deny update <org> POLICY_CONFIG_FILE

 for contributing this feature. We welcome community pull requests and feedback to help drive the CLI forward.

To improve consistency, we have updated how pagination is handled across the CLI.

 is the new standard flag for listing all results, replacing 

 remains available as an alias, so existing scripts will not break. However, we recommend updating to 

 as values to instantly retrieve all results.

 Fixed the entitlement token list command to correctly support the new 

 Resolved a dependency conflict preventing installation on Python 3.9 environments.

For a full summary of changes, please visit the 

CLI v1.10.1: Policy deny rules and usability improvements

You can now download auto-generated Software Bills of Materials (SBOMs) for your Docker and OCI images directly from the Cloudsmith web app. This allows you to instantly export supply chain data for use in analysis tools or alongside release documentation.

Previously, SBOMs generated by Cloudsmith were only accessible via the 

. Instead of scripting an API call to retrieve the manifest for a specific image, you can now grab the 

 file with a single click, making SBOMs accessible to a broader range of users.

Click the Actions menu → "Download SBOM"

Downloads are provided in CycloneDX format.

This feature applies only to SBOMs automatically generated by Cloudsmith during the container image synchronization process.

Cloudsmith automatically generates SBOMs for Docker V2 and OCI V1 images.

​​This feature is live and available immediately for all Docker images. If you have any questions or feedback, please 

Download SBOMs directly from the web app

 to capture error events, giving platform engineering teams the critical information needed to troubleshoot build issues on behalf of their teams.

 only displayed successful activity, so it could be challenging to manually piece together context when errors occurred. With this update, Cloudsmith provides more comprehensive observability into your software supply chain. By surfacing requests that result in an error alongside successful ones, your team gains a centralized view of system health, making it easier to spot trends and resolve issues quickly.

: In addition to the status code, logs capture key request details including method, path, timestamp, user agent, IP address, and location.

This feature is available now in the Cloudsmith web app for customers using 

. Error logs will also soon be available in your Cloudsmith client log exports; please 

Troubleshoot failed download requests with client error logs

 command to the Cloudsmith CLI, enabling users to programmatically retrieve packages from repositories. This command provides advanced filtering, bulk operations, and pre-execution validation features.

This update resolves the prior friction created by the lack of a native download utility, eliminating the need for manual web UI downloads or complex 

 command is designed for flexible and automated artifact fetching:

 Automatically finds the latest version of a package by name across all repository versions.

 Supports filtering based on metadata such as 

 flag to download all associated package assets (e.g., sources, javadoc, SBOMs).

 Define a custom output directory for downloads using the 

 option, particularly useful for bulk operations.

 capability to see exactly which files would be downloaded without initiating the transfer.

Below are practical examples illustrating the command's flexibility:

 for Cloudsmith. This is NOT a package manager pull command. Unlike tools such as docker pull, npm install, or pip install, this command 

Install packages into your local environment

Manage dependencies or perform package resolution

Set up package registries or configure local tooling

Its function is to transfer the package files (binaries, archives, etc.) to your local filesystem for manual use, inspection, or further processing.

If you have feedback or questions about the Cloudsmith CLI, please 

Download command added to the Cloudsmith CLI

We've significantly enhanced the Cloudsmith Terraform Provider with new 

New data sources have been added to allow customers to retrieve information about their organization's configuration (like a 

 request), enabling the creation of more complex Terraform code based on specific outputs:

 resource now supports several new upstream formats:

For more information, including examples and documentation on all resources, please visit:

https://registry.terraform.io/providers/cloudsmith-io/cloudsmith/latest/docs

New data sources and expanded upstream support added to the Cloudsmith Terraform Provider

Cloudsmith now provides official upstream proxying and caching support for 

 in your npm repositories. This integration enables customers to use Cloudsmith as the primary, secure distribution platform for Chainguard’s malware-resistant, built-from-source JavaScript dependencies.

 Use Cloudsmith as the single source of truth for all npm dependencies, including Chainguard Libraries, ensuring reliability and high availability.

 Gain detailed information and consumption metrics on all package requests and versions in use (including from Chainguard Libraries) through Cloudsmith.

 Leverage Cloudsmith policies to govern what packages flow to users/pipelines, and utilize Cloudsmith’s built-in 

 Chainguard's dependencies are built using their hardened 

, providing verifiable software provenance.

The Chainguard Libraries for Javascript repository only includes libraries built by Chainguard from source. For full coverage, we recommend a dual-upstream configuration to allow for a fallback to the public registry.

Chainguard Libraries for Javascript Upstream (Priority 1)

 Add the Username and Password value from your Chainguard Libraries access settings.

Public npm Registry Upstream (Priority 2 - Fallback)

 for packages not available in Chainguard, ensuring the most secure and reliable consumption workflow possible.

Upstream Support for Chainguard Libraries for Javascript (npm)

 flag to the Cloudsmith CLI, which simplifies your automation scripts by eliminating the need for pagination logic. Previously, fetching large datasets required looping to iterate through 

. Now, the CLI automatically handles the underlying pagination, fetching every requested item and returning the full list instantly. This lets you simplify your scripts and maintain less code.

 flag to the following commands that support pagination:

Cloudsmith Changelog