A cooldown policy now filters non-compliant package versions from the repository index before package managers ever see them. This provides both security control and a better developer experience: clean resolution to the next compliant version, no build failures, and no waiting.
Malicious packages typically live in public registries for hours before detection. In that window, automated CI/CD pipelines can pull them straight into customer builds. A package cooldown policy closes that gap by enforcing a minimum age requirement on packages before they're available to install.
Previously, cooldowns were enforced at the point of download, meaning a build requesting a version still within the cooldown window would fail to resolve. Now, we’ve moved enforcement to the repository index, filtering out non-compliant versions before package managers see them. Builds resolve cleanly to the first available compliant version, with no iterative build failures.
With Cloudsmith’s cooldown policies:
This feature is available in Early Access for Ultra and Enterprise customers.
Check out our documentation to learn more, or contact us to request early access or register interest in additional format support.
Cloudsmith CLI Action v1 is now deprecated. Security-only patches will continue until 31st December 2026, after which v1 reaches end-of-life (EOL). Migrate to v2 before 31st December 2026 to avoid disruption…
We're rolling out improvements to how Cloudsmith evaluates relational version ranges across the platform to ensure clearer and more predictable results for semantic version searches and version-based ordering…
Private Broadcasts lets you put your brand front and center throughout the entire distribution experience, distributing software securely to your partners, customers and internal users through your own branded portal. Full customization and built-in analytics give you control over the experience and visibility into adoption, while entitlement tokens keep access tightly managed, so your software reaches exactly the right people…
Multi-select package actions now support delete. Select up to 100 packages and remove them in a single action. Deleted packages will be moved to recently deleted packages for 7 days…
Cloudsmith has always retained deleted packages for 7 days before permanently removing them — but until now, restoring a deleted package required contacting Cloudsmith support. The new “Recently deleted packages” view lets your team find and restore packages directly, whether they were removed manually, by a retention rule, or via a bulk action, without raising a support request…
Cloudsmith should adapt to the way you work, and today we're releasing a significant new feature to meet this objective - table personalization…