In the move from "safe enough" to truly resilient, security teams must address vulnerabilities at every link in the software supply chain. One of the most persistent risks is dependency confusion, a tactic where malicious actors exploit how package managers resolve names to trick systems into pulling untrusted code.

To help you achieve a more resilient posture, you can now set a trust status for your upstreams. This capability focuses on a critical link in your chain: preventing attackers from hijacking your internal package names in public repositories. By defining explicit trust boundaries, you ensure that once an artifact is identified as internal, it cannot be replaced by an untrusted externally-sourced version.

How it works

Traditional version resolution sequencing is passive; if a publicly published package has a higher version number than an internally sourced version of that same package, many installers will prioritize the one with the higher version number. Setting a trust status provides active enforcement by establishing a trust benchmark at the package name level:

• Mark your package sources as TRUSTED (e.g., vetted upstreams) or UNTRUSTED (e.g., public registries).
• When a package version is found in a trusted source, Cloudsmith benchmarks that package name.
• Once a benchmark is set, every version of that package from an untrusted source is omitted from your index - regardless of version number.

This feature is available in Early Access for Ultra and Enterprise customers. We currently support upstream trust for Python, Maven, and NPM.

Ready to secure your package names? Check out our documentation for a deep dive into the algorithm, or contact us to get access to the Early Access program today.