Builds are now faster with support for parallel artifact uploads during 

Maven 3.9.12 enabled parallel deployment by default, which previously caused a race condition resulting in incomplete packages or synchronization errors. We updated our platform to support these concurrent requests, ensuring stability and reducing total build times.

This update is active for all customers using Maven 3.9.12 or later. No configuration changes are required.

Support for Maven parallel deployment

Public Broadcasts make it easier than ever to deliver software to your end users through a branded, trustworthy, and developer-friendly distribution experience.

Broadcasts allow you to distribute artifacts directly from your Cloudsmith repositories using a polished, customizable user interface that reflects your brand, integrates with native developer tooling, and provides visibility into how your software is being adopted.

 Present your software through an interface that matches your company’s identity. Use your logo, colors, and a custom domain to ensure end users experience a familiar, professional interface when deciding to install your software.

 Eliminate the guesswork from distribution. Gain real-time insights into which versions are being downloaded and how adoption trends change over time.

 Broadcasts integrate seamlessly with native developer tooling, allowing users to fetch packages via their preferred CLI or CI/CD tools—no friction, no workarounds.

 Turn any existing Cloudsmith repository into a professional public distribution portal in seconds. No need to build, host, or maintain custom download pages.

Since the initial Early Access release, we’ve added several features to further refine the distribution experience:

, including architecture and distribution information, is now available on Broadcasts.

 with improved installation documentation to help users get started faster.

, making it easier to share open-source projects and artifacts.

 to start broadcasting today from any existing Cloudsmith repository. 

Public Broadcasts are now generally available

Cloudsmith now provides a reference implementation guide for Amazon SageMaker. This resource demonstrates how to utilize Cloudsmith as a secure, central hub for the Hugging Face models, Docker images, and Python packages required for machine learning workflows.

AI/ML supply chains are often fragmented; relying on unmanaged public sources for models and dependencies introduces security risks and build instability. This guide provides a blueprint for moving ML artifacts into a private, governed environment without disrupting the SageMaker development experience.

This release provides a reusable set of instructions and scripts designed to be embedded directly into your existing SageMaker workflows.

 Use Cloudsmith to proxy and cache Hugging Face models, ensuring consistent availability for SageMaker training jobs.

 Consolidate Python packages and Docker containers within Cloudsmith to create a single source of truth for SageMaker environments.

 Implementation examples cover how to configure SageMaker to authenticate and fetch artifacts securely during execution.

The implementation guide and code samples are available in our public repository:

For detailed setup instructions, refer to the

Secure ML workflows with Cloudsmith and Amazon SageMaker

 runtime and updates default OIDC audience claims to align with modern security standards.

This is a major version release to prevent breaking changes for users pinned to 

. While core CLI functionality remains unchanged, environment requirements and OIDC defaults have been updated to ensure long-term compatibility and improved security.

 GitHub automatically provides the necessary runtime; no user intervention is required.

 You must ensure Node 24+ is installed on your environment to run 

 Support for Node 20 is now deprecated in this major version. We will continue to maintain 

 until the Node 20 End-of-Life (EOL) scheduled in 

 input has been updated to provide organization-specific audience claims, increasing the security of the OIDC exchange.

f your existing OIDC trust configuration relies on the legacy 

 claim, you must either update your validation logic within Cloudsmith or explicitly set 

oidc-audience: 'api://AzureADTokenExchange'

 in your workflow YAML to maintain current behavior.

For a detailed list of all technical commits and specific file changes, please refer to the 

CLI GitHub Action v2.0.0

A crucial part of effective package management is package distribution. Whether you are dealing with distributed teams or deploying global applications, you need efficient, reliable delivery - anywhere in the world.

To support this, we are continuing to expand our global footprint and are now live in Tokyo.

: We have upgraded our edge infrastructure in APAC. Unlike standard CDNs, Cloudsmith’s PDN is context-aware and optimized specifically for software artifacts.

: Users and build pipelines in Asia will experience faster throughput.

: We now handle authentication logic directly at the Tokyo edge node. This significantly reduces round-trip times for "chatty" protocols (like Maven, NuGet, or Docker) by validating credentials locally rather than routing back to the origin.

: For organizations with strict data residency requirements, you can now explicitly select Tokyo as your storage region. This ensures your data rests physically within Japan, satisfying local compliance needs.

The Tokyo region is available when creating a new repository, and all customers will automatically experience the performance benefits of our expanded PDN.

Accelerating delivery in APAC: Cloudsmith Tokyo is now live

This update to the Cloudsmith CLI introduces programmatic management for Policy Deny Rules, standardizes pagination parameters across the CLI, and upgrades core dependencies.

The CLI now supports full lifecycle management for Policy Deny Rules, enabling tighter integration with infrastructure-as-code workflows. Users can list, create, update, and delete deny policies directly via the command line.

cloudsmith policy deny create <org> POLICY_CONFIG_FILE

cloudsmith policy deny update <org> POLICY_CONFIG_FILE

 for contributing this feature. We welcome community pull requests and feedback to help drive the CLI forward.

To improve consistency, we have updated how pagination is handled across the CLI.

 is the new standard flag for listing all results, replacing 

 remains available as an alias, so existing scripts will not break. However, we recommend updating to 

 as values to instantly retrieve all results.

 Fixed the entitlement token list command to correctly support the new 

 Resolved a dependency conflict preventing installation on Python 3.9 environments.

For a full summary of changes, please visit the 

CLI v1.10.1: Policy deny rules and usability improvements

You can now download auto-generated Software Bills of Materials (SBOMs) for your Docker and OCI images directly from the Cloudsmith web app. This allows you to instantly export supply chain data for use in analysis tools or alongside release documentation.

Previously, SBOMs generated by Cloudsmith were only accessible via the 

. Instead of scripting an API call to retrieve the manifest for a specific image, you can now grab the 

 file with a single click, making SBOMs accessible to a broader range of users.

Click the Actions menu → "Download SBOM"

Downloads are provided in CycloneDX format.

This feature applies only to SBOMs automatically generated by Cloudsmith during the container image synchronization process.

Cloudsmith automatically generates SBOMs for Docker V2 and OCI V1 images.

​​This feature is live and available immediately for all Docker images. If you have any questions or feedback, please 

Download SBOMs directly from the web app

 to capture error events, giving platform engineering teams the critical information needed to troubleshoot build issues on behalf of their teams.

 only displayed successful activity, so it could be challenging to manually piece together context when errors occurred. With this update, Cloudsmith provides more comprehensive observability into your software supply chain. By surfacing requests that result in an error alongside successful ones, your team gains a centralized view of system health, making it easier to spot trends and resolve issues quickly.

: In addition to the status code, logs capture key request details including method, path, timestamp, user agent, IP address, and location.

This feature is available now in the Cloudsmith web app for customers using 

. Error logs will also soon be available in your Cloudsmith client log exports; please 

Troubleshoot failed download requests with client error logs

 command to the Cloudsmith CLI, enabling users to programmatically retrieve packages from repositories. This command provides advanced filtering, bulk operations, and pre-execution validation features.

This update resolves the prior friction created by the lack of a native download utility, eliminating the need for manual web UI downloads or complex 

 command is designed for flexible and automated artifact fetching:

 Automatically finds the latest version of a package by name across all repository versions.

 Supports filtering based on metadata such as 

 flag to download all associated package assets (e.g., sources, javadoc, SBOMs).

 Define a custom output directory for downloads using the 

 option, particularly useful for bulk operations.

 capability to see exactly which files would be downloaded without initiating the transfer.

Below are practical examples illustrating the command's flexibility:

 for Cloudsmith. This is NOT a package manager pull command. Unlike tools such as docker pull, npm install, or pip install, this command 

Install packages into your local environment

Manage dependencies or perform package resolution

Set up package registries or configure local tooling

Its function is to transfer the package files (binaries, archives, etc.) to your local filesystem for manual use, inspection, or further processing.

If you have feedback or questions about the Cloudsmith CLI, please 

Download command added to the Cloudsmith CLI

We've significantly enhanced the Cloudsmith Terraform Provider with new 

New data sources have been added to allow customers to retrieve information about their organization's configuration (like a 

 request), enabling the creation of more complex Terraform code based on specific outputs:

 resource now supports several new upstream formats:

For more information, including examples and documentation on all resources, please visit:

https://registry.terraform.io/providers/cloudsmith-io/cloudsmith/latest/docs

Cloudsmith Changelog