Custom key-value metadata can now be attached to any package in Cloudsmith, giving structured contextual data - CI build info, Git provenance, commit SHAs, internal attribution - a proper home alongside the artifact it describes. Stored as arbitrary JSON key-value pairs, it's purpose-built for the kind of contextual data that doesn't belong in tags.
Custom metadata can be added, updated, deleted, viewed, and searched via the Cloudsmith API and CLI. Once attached, metadata can be used in policy-as-code matching logic and the Cloudsmith package search filter, making it possible to enforce governance and find packages based on the contextual data you've stored.
| Add | Update | Delete | View | Package search filter | |
|---|---|---|---|---|---|
| API | ✓ | ✓ | ✓ | ✓ | ✓ |
| CLI | ✓ | ✓ | ✓ | ✓ | ✓ |
| Web app | ✓ | ✓ |
The Cloudsmith package search now supports a metadata filter.
For more information about using the package search, see Package search syntax.
Custom metadata is currently available in early access for Ultra and Enterprise customers. If you have any questions or feedback on this feature, please contact us.
Learn more about custom metadata in our documentation.
Packages from Debian, Alpine, PyPI, and other ecosystems that use native version ranges are now matched against a broader set of OSV advisories, building on existing coverage for SemVer-based ranges…
Cloudsmith's Terraform provider (v0.0.75) now supports full lifecycle management of policies and policy actions as code…
Two additional policy evaluation triggers are now available, ensuring that policies are enforced consistently across repositories without manual intervention…
With the new cloudsmith_connected_repository resource for the Cloudsmith Terraform provider, you can define connected repository configurations in code alongside the rest of your Cloudsmith infrastructure…
By default, Cloudsmith assigns the `latest` dist-tag to the package with the highest semantic version number, which may not match what the upstream registry considers `latest`. A new per-repository setting, npm upstream tags take precedence, lets upstream distribution tags (dist-tags) override Cloudsmith’s semantic versioning (SemVer)-based tag assignment…
A cooldown policy now filters non-compliant package versions from the repository index before package managers ever see them. This provides both security control and a better developer experience: clean resolution to the next compliant version, no build failures, and no waiting…