We’ve released a major update to the Cloudsmith VS Code extension, transforming it from a repository browser into a proactive part of your software supply chain security. By integrating security remediation, automated Infrastructure as Code (IaC) generation, and dependency health tracking directly into the IDE, we’ve eliminated the friction between writing code and managing a secure software supply chain.

Release highlights

• Terraform Export: Right-click any repository to generate a HCL configuration for repositories, including upstreams and retention rules, complete with sensitive variable placeholders for secure secrets management.
• Dependency health check: A new sidebar view cross-references project manifests (package.json, requirements.txt, go.mod, etc.) against Cloudsmith’s security database. Vulnerable dependencies are flagged with inline "squiggly" underlines directly within the editor.
• Proactive remediation: Use the "Find Safe Version" command to instantly identify clean, non-quarantined versions of a package available in your workspace. command to instantly identify clean, non-quarantined versions of a package and access the corresponding secure install commands.
• Upstream trust inspection: A new WebView panel identifies "Trusted" vs. "Untrusted" upstreams, providing clear callouts to help prevent dependency confusion attacks by highlighting unverified sources.
• Automated promotion: Visualize your defined promotion pipelines (e.g., Dev → Staging → Prod) and move packages between stages with a single click.
• Authentication improvements: Streamlined setup supporting API Keys, Service Accounts, and a new SSO/SAML terminal flow.

Full release notes

For a comprehensive breakdown of all features, hardening, and bug fixes in versions 2.1.0 and 2.0.0, please visit the Cloudsmith VS Code GitHub Changelog.