You can now host and distribute your machine learning (ML) models and datasets using Cloudsmith. This brings the same security, governance, and cloud-native performance you already rely on for packages, containers, and binaries to your AI workflows.

: Push and pull public or private models, datasets, and related assets with the standard 

 public models and datasets from the Hugging Face Hub for improved reliability and speed.

to fit your workflows. Store models alongside containers and packages, or separate them into dev, staging, and production.

 with fine-grained permissions for who can view or distribute models. 

 on security, quality, and compliance using Enterprise Policy Management.

You can now use quick filters in the package vulnerability view to filter Common Vulnerabilities and Exposures (CVEs) by severity.

The view will still default to ordering vulnerabilities by severity — with Critical issues at the top — but quick filters make it easier to filter directly for High, Medium, Low, or Unknown severities. This helps security teams quickly triage and prioritize, especially when working with artifacts that may have a high number of CVEs (for example, Docker images where the base image alone may contribute a large number). 

Filter CVEs by severity in the package vulnerability view

Cloudsmith now detects malicious packages using data from 

 open source packages designed to attack your supply chain before they reach your builds or customers.

 looks inside a package for known signatures, whereas malicious package detection focuses on packages that are harmful by design — for example, those created to mimic legitimate dependencies or trigger unsafe install behaviors. Together, these capabilities provide broader defense in depth across your repositories.

Here’s how malicious package detection works in Cloudsmith:

: The malicious packages dataset is ingested into Cloudsmith and integrated into Continuous Security.

: Packages in your repositories are regularly evaluated against this dataset.

: Enterprise Policy Management (EPM) lets you define policies to automatically quarantine or block flagged packages.

Malicious package detection

You can now use Cloudsmith’s package search syntax to refine the scope of your repository's retention rules when configuring them via the Cloudsmith web application and via the Cloudsmith Terraform provider. This functionality builds on the existing support to 

scope retention rules by package search syntax via the API

, and makes it easier to target exactly which packages to keep or remove.

To start using it via the web application, browse to your repository Settings, and click Retention Rules. Use the 

Retention rules: Refine scope with package search syntax via web app and Terraform provider

, a refreshed and re-architected documentation website for Cloudsmith. 

We believe that good documentation is an essential component of a great product. Our documentation helps new developers get started with Cloudsmith, and enables customers to get the most value from our platform. 

Our new documentation website has better content and simpler navigation, and reflects the design of our web app.

We've added and improved dozens of pages on 

. It is now the best guide to using Cloudsmith

The old documentation site will remain available 

, at which point old docs will redirect to new versions on 

We will continue to make updates to our old documentation website, 

We are migrating knowledge base content from our 

, we believe in collective ownership of documentation. That’s why we’ve housed the source text for our docs in 

, which is editable by our customers, partners, and developers.

 you'll see a View in GitHub button, so you can edit pages directly, and issue pull requests to improve our docs. We'll review all edits and suggestions, and merge them regularly.

As always, if you have any questions, please 

New Documentation Website

We've reduced the delay between a download event and its appearance in Client Logs, giving you faster visibility into your package delivery pipeline. This makes it easier to analyze trends, troubleshoot issues, and keep your workflows moving.

, and are part of ongoing upgrades to our edge architecture, designed to deliver faster, more reliable access to Cloudsmith data at scale.

The legacy version of Client Logs will remain accessible in the 

You may notice differences in how the data appears between the legacy Client Logs and the new version:

Legacy Client Logs: logs first show an estimated bytes value, which is later updated with the reconciled value.

New Client Logs: logs are available within ~30-60 seconds and display the correct bytes value immediately.

 in our documentation. If you have any questions, 

Faster access to Client Logs

As part of upcoming improvements to our logging pipeline, we’ve made adjustments to our underlying data processing. These changes include the 

These fields will now be prefixed with the name of the workspace and the repository.

If you are using custom domains configured at the workspace level, only the repository name will be prefixed: 

For repository custom domains, the path will remain unchanged:

Important information regarding these changes

 field in any automated process, please review your workflows to ensure they will continue working as expected. Note that the exact structure of the URI may change depending on the HTTP request type.

ML Model Registry

What’s New

Other logs

Filter CVEs by severity in the package vulnerability view

Malicious package detection

Retention rules: Refine scope with package search syntax via web app and Terraform provider

New Documentation Website

Faster access to Client Logs

Change to uri Field in Client Log Exports