Upstream logs are now available in the web app. Each upstream's log shows successful requests from the last 12 hours and failed requests from the last 24 hours, making it easier to monitor activity and diagnose issues as they arise.

This is part of a wider set of improvements to upstreams — see 

Set up and monitor upstreams more effectively

 to sunset our old documentation website. The old website has now been retired, and redirects are in place to our 

Today we're releasing an improved search experience on the new docs site. Search is now more prominent in the user experience. Results are much more accurate, and organized into helpful categories - showing results from core documentation, handy guides, and our API reference. As ever, if you have any feedback please 

Improved search experience in Cloudsmith documentation

Teams with UK data residency requirements can now store artifacts on UK infrastructure. Select 

 as your storage region when creating a new repository, or transfer an existing one via a repository's Settings.

Learn more about custom storage regions in 

London is now a supported storage region

You can now connect multiple repositories to a single repository, giving your teams a single repo to pull every package they need. This allows you to organize your artifacts by Line of Business (LOB) while ensuring that shared internal libraries and vendor images are managed centrally and remain always available to the teams that need them.

Enterprises need to balance easy access to artifacts with strict control over who can publish or promote them. Previously, the only way to aggregate repositories in Cloudsmith was through "Cloudsmith-to-Cloudsmith" upstreams. Because this wasn't a native fit for complex workflows, it introduced indexing delays and performance overhead that didn't meet the needs of large-scale delivery pipelines.

Connected repositories provide a native solution that offers:

Developers no longer need prior knowledge of the underlying repo structure. By connecting repositories, you present a single, shared location for builders to fetch any required image or package.

Unlike older methods, there is no indexing delay. When a team pushes a new library or image to a connected repository, it is immediately available to every team that needs it.

You can manage vendor and shared libraries "behind the scenes," isolating your developers from the underlying complexity of how you manage permissions and access control.

Connected repositories are built for workspace administrators who need a performant, unified way to distribute packages across a complex organization without re-architecting their existing delivery workflows.

Packages are visible to consumers of the source repository the moment they are pushed, eliminating the need for secondary indexing.

Set clear rules for which repository "wins" if the same package version exists in multiple places, ensuring deterministic and secure builds.

 If your shared library repository points to external sources like Maven Central or PyPI, your LOB repositories get access to those public packages automatically.

Administrators can manage these connections via the UI or API, ensuring a consistent and auditable structure across the entire organization.

 and contact us to enable Connected Repositories for your workspace.

Architect a scalable, developer-friendly repository structure with connected repositories

 of the Cloudsmith CircleCI Orb, bringing it to full feature parity with our GitHub Actions and Azure DevOps integrations. This update focuses on security through OIDC, improved reliability, and greater flexibility for your CI/CD workflows.

 Authenticate using OpenID Connect (OIDC) with the new 

 step. This allows you to exchange short-lived tokens at runtime, eliminating the need to store long-lived API keys in CircleCI environment variables.

 We’ve switched the default installation method from 

 to a self-contained zipapp downloaded directly from 

. This removes dependencies on the local Python environment and ensures a faster, more consistent setup.

 You are no longer limited to a subset of commands via an orb wrapper. The orb now installs the Cloudsmith CLI directly, allowing you to invoke any CLI command within your run steps.

 command is now deprecated. We recommend using 

), then calling the Cloudsmith CLI directly.

. If your environment specifically requires a pip-based install, set 

. Jobs relying on the legacy Python 3.7.4 image may need to explicitly pin the 

You can find full usage examples and parameter references on the 

, or view the source code and contribute via 

CircleCI Orb v2.0.0: OIDC, Zipapp, and full CLI access

We’ve added support for the Wolfi ecosystem, alongside the ability to proxy and cache both Alpine and Wolfi packages from their public mirrors. For teams installing packages via APK, this provides a simpler, more reliable way to manage dependencies by using Cloudsmith as a single source for both public and private packages.

Managing public and private packages separately adds friction to your build process. Cloudsmith removes this by blending your local packages and upstream content into a single, unified 

By merging these into one index signed with your repository’s RSA key, you also improve your software supply chain security. Your build environments only need to trust one source to verify the integrity of every dependency in your stack, whether it’s an internal artifact or a public package.

Cloudsmith treats each upstream as a separate distribution within your repository to ensure packages are correctly indexed and served.

We provide complete coverage across all architectures and every supported branch (from v3.0 through v3.23 and beyond).

We index everything currently available on the Wolfi OS index, covering all packages available within the last 12 months, plus anything you've cached or uploaded directly.

To begin proxying these repositories, add the following URLs as upstreams in your Alpine-compatible repositories:

Proxy and cache Alpine and Wolfi packages from upstream repositories

, transforming it from a repository browser into a proactive part of your software supply chain security. By integrating security remediation, automated Infrastructure as Code (IaC) generation, and dependency health tracking directly into the IDE, we’ve eliminated the friction between writing code and managing a secure software supply chain.

 Right-click any repository to generate a HCL configuration for repositories, including upstreams and retention rules, complete with sensitive variable placeholders for secure secrets management.

: A new sidebar view cross-references project manifests (package.json, requirements.txt, go.mod, etc.) against Cloudsmith’s security database. Vulnerable dependencies are flagged with inline "squiggly" underlines directly within the editor.

: Use the "Find Safe Version" command to instantly identify clean, non-quarantined versions of a package available in your workspace. command to instantly identify clean, non-quarantined versions of a package and access the corresponding secure install commands.

: A new WebView panel identifies "Trusted" vs. "Untrusted" upstreams, providing clear callouts to help prevent dependency confusion attacks by highlighting unverified sources.

: Visualize your defined promotion pipelines (e.g., Dev → Staging → Prod) and move packages between stages with a single click.

: Streamlined setup supporting API Keys, Service Accounts, and a new SSO/SAML terminal flow.

For a comprehensive breakdown of all features, hardening, and bug fixes in versions 2.1.0 and 2.0.0, please visit the 

Track and troubleshoot upstream requests with logs

Other logs

Improved search experience in Cloudsmith documentation

London is now a supported storage region

Architect a scalable, developer-friendly repository structure with connected repositories

CircleCI Orb v2.0.0: OIDC, Zipapp, and full CLI access

Proxy and cache Alpine and Wolfi packages from upstream repositories

Secure your software supply chain directly in VS Code with the latest version of Cloudsmith’s extension