Formats/Dart

Secure, hosted Dart package repositories

Cloudsmith gives your team fully managed, private Dart repositories with token-based authentication, upstream proxying, and governance controls - without the overhead of self-hosted infrastructure.

Dart on Cloudsmith

Centralize and control your Dart packages. Cloudsmith is a secure, fully managed store for all your Dart artifacts and dependencies.

  • Use Dart + 30 other formats in one place
  • Proxy and cache pub.dev packages to speed up builds and eliminate external registry risk
  • Enforce governance policies governing which packages are permitted across your repositories

How we support Dart

Cloudsmith gives you a fully managed Dart repository that integrates with native pub tooling and scales with your team, from a single project to a global monorepo.
    Native pub tooling
    Authenticate and publish with standard dart pub commands. Cloudsmith's Dart endpoint is a drop-in replacement for pub.dev, requiring no changes to your existing workflow.
    Upstream proxying
    Proxy and cache pub.dev packages through Cloudsmith so your builds never depend directly on an external registry. Speed up resolution times and stay protected if upstream goes down.
    Vulnerability scanning
    Cloudsmith scans Dart packages for known CVEs and malware. Set rules to automatically flag, quarantine, or block packages that contain low, medium, or critical vulnerabilities before they reach your team.
    Access control and entitlements
    Create public or private repositories and manage access with granular team permissions. Distribute private packages to external consumers using scoped entitlement tokens with no credential sharing.
    Multi-format repositories
    Store Dart packages alongside Docker images, Python wheels, and 30 other formats in a single Cloudsmith repository. Consolidate your supply chain without juggling separate registries.

Why teams choose Cloudsmith for Dart

pub.dev works well for open-source discovery, but private package distribution and dependency governance require more. Cloudsmith gives your team the control, reliability, and security that pub.dev alone cannot.
Without CloudsmithDevelopers depend directly on pub.dev for every build. If the registry has an outage or a package is retracted, your pipelines break and there is no fallback.
With CloudsmithCloudsmith proxies and caches pub.dev packages locally. Builds resolve from your own cache, so a pub.dev outage or package removal has no impact on your team.
Without CloudsmithSharing private Dart packages across teams means passing credentials manually or hosting ad-hoc Git dependencies - both fragile and hard to audit.
With CloudsmithPublish private packages to a Cloudsmith repository once and distribute them via scoped entitlement tokens. Access is logged and revocable, with no credential sharing required.
Without CloudsmithThere is no enforced control over which Dart package versions teams install. Vulnerable or unapproved packages can reach production without any team member noticing.
With CloudsmithCreate and enforce governance policies in Cloudsmith to govern which packages are permitted. Block specific versions, require metadata fields, or quarantine packages that fail your criteria before installation.

Signs you're ready to switch to Cloudsmith for Dart

If your current setup relies on workarounds to share Dart packages privately or gives you no visibility over what teams are installing, Cloudsmith is the upgrade your supply chain needs.
    No private package hosting
    pub.dev only hosts public packages. If you are using Git dependencies or manual workarounds to share internal Dart libraries, Cloudsmith gives you a proper private registry with token-based auth and fine-grained access control.
    Build failures from upstream instability
    Direct pub.dev dependency in CI leaves you vulnerable to outages and package retractions. Cloudsmith's upstream proxying caches packages so your builds stay stable regardless of external registry health.
    No visibility into vulnerable dependencies
    Without automated scanning, vulnerable packages reach your Dart projects silently. Cloudsmith scans for CVEs and lets you quarantine or block risky packages before any team member installs them.
    No governance over what gets installed
    If your teams can install any package version without review, you have no repeatable enforcement model. Cloudsmith's policy engine lets you define which Dart packages and versions are permitted across your repositories.
    Fragmented artifact management
    Maintaining separate registries for Dart, Docker, and other formats adds operational overhead. Cloudsmith consolidates all your formats into one platform, reducing the tools your team has to manage and secure.

Get started with Dart on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith's Dart repository is fully compatible with dart pub and flutter pub. You authenticate using dart pub token add and push or pull packages without changing your existing workflow.

  2. Cloudsmith supports Dart SDK version 2.15.1 and above. SDK versions 2.14 and earlier are no longer supported. All standard dart pub operations work as expected on supported SDK versions.

  3. Yes. Cloudsmith gives you private repositories that are not accessible without authentication. You control access at the team or individual level and can distribute packages to external consumers using scoped entitlement tokens.

  4. Cloudsmith supports API key tokens, OIDC for CI/CD pipelines such as GitHub Actions, and password-based authentication. You add credentials once using dart pub token add and the CLI handles all subsequent requests automatically.

  5. Yes. Cloudsmith scans Dart packages for known CVEs and malware. You can configure rules to automatically quarantine or block packages based on vulnerability severity, so no risky package reaches a developer's machine without review.

  6. Yes. Cloudsmith's upstream proxying lets you route pub.dev requests through your own repository. Packages are cached locally so your builds remain stable even if pub.dev experiences an outage or a package is retracted.

  7. Yes. Cloudsmith's policy engine lets you create governance rules governing which packages and versions are permitted in your repositories. You can block specific versions, require specific metadata fields, or quarantine packages that do not meet your criteria before any team member installs them.

  8. Yes. All Cloudsmith repositories are multi-format. You can store Dart packages alongside Docker images, Python wheels, npm modules, and 30 other formats in a single repository, centralizing your entire software supply chain.

  9. You can upload existing packages using the Cloudsmith CLI or REST API. Once uploaded, you update your pubspec.yaml to point to your Cloudsmith repository URL and authenticate using dart pub token add. Migration requires no changes to your package source code.

  10. Yes. Cloudsmith integrates with GitHub Actions, Jenkins, CircleCI, and most major CI systems. You can authenticate using OIDC for keyless authentication in pipelines, avoiding the need to store long-lived credentials as secrets.

Formats

There’s more than just Dart on Cloudsmith