Formats/R

The R / CRAN repository built for data science teams

Cloudsmith gives data science teams a fully-managed private CRAN repository with upstream proxying to the canonical CRAN registry. Publish internal R packages, cache external dependencies, and enforce security policies across every package your teams consume.

Universal format support

One platform for R packages and every other format your teams rely on. Cloudsmith is the secure store for all your artifacts.

  • Use R / CRAN + 30 other formats from a single platform
  • Store internal R packages alongside Python, Docker, and other formats your data science pipelines depend on
  • Proxy and cache the canonical CRAN registry so every install.packages() call resolves through Cloudsmith

How we support R / CRAN

Cloudsmith gives data science teams a reliable, secure home for both private R packages and the external CRAN dependencies their models and pipelines consume.
    Private CRAN repository
    Publish and serve your organisation's internal R packages via a fully CRAN-compatible endpoint. Use install.packages() with your Cloudsmith URL exactly as you would with the official registry.
    Upstream proxying and caching
    Configure Cloudsmith as a single point of contact for all R packages. Proxy the canonical CRAN registry transparently and optionally cache packages so your builds are never blocked by upstream outages.
    Vulnerability scanning and policy enforcement
    Scan R packages for CVEs and malware on ingestion. Build OPA Rego policies to quarantine, block, or flag packages that fail your security thresholds before they reach data scientists.
    Fine-grained access control
    Grant read or write access at the repository, team, or token level. Support entitlement token and HTTP Basic authentication so CI pipelines and individual contributors authenticate consistently.
    Cloud-native performance and reliability
    Cloudsmith is fully managed with no infrastructure for your team to operate. Backed by a global CDN with 600+ edge points of presence, packages download fast wherever your data scientists and pipelines run.

Why teams choose Cloudsmith for R / CRAN

Managing R packages across data science teams exposes real gaps in access control, reproducibility, and build reliability. Cloudsmith closes them without adding operational burden.
Without CloudsmithTeams pull R packages directly from the public CRAN registry, with no visibility, caching, or control over what enters the build. If CRAN is slow or unavailable, pipelines stall.
With CloudsmithCloudsmith proxies and caches CRAN transparently. Every install.packages() call resolves through your private repository, giving you full control and insulating builds from upstream outages.
Without CloudsmithInternal R packages are shared via Git repos, shared network drives, or ad-hoc tarballs. There is no versioning, no access control, and no audit trail showing who installed what.
With CloudsmithCloudsmith hosts your internal R packages on a CRAN-compatible endpoint with full version history, token-based authentication, and client logs that show every upload and install.
Without CloudsmithUnvetted packages flow directly into data science environments, with no scanning for CVEs or malware. A compromised dependency can reach production models before anyone notices.
With CloudsmithCloudsmith scans every package on ingestion and lets you define policies that automatically quarantine or block packages that fail your security thresholds.

Signs you're ready to switch to Cloudsmith for R / CRAN

If your current R package workflow relies on fragile self-hosted tooling or direct pulls from the public registry, you're accumulating risk and toil that Cloudsmith removes.
    No single source of truth for R packages
    Internal packages live in Git, shared drives, or personal S3 buckets with no consistent versioning or discoverability. Cloudsmith gives every package a canonical, CRAN-compatible URL your whole organisation can rely on.
    Pipelines fail when CRAN is slow or unavailable
    Pulling directly from the public CRAN registry introduces an external dependency into every build. Cloudsmith's caching layer means packages are always available locally, regardless of upstream status.
    No security screening on incoming R packages
    Data science teams regularly install new packages from CRAN without any vulnerability checks. Cloudsmith scans packages on ingestion and lets you block or quarantine risky dependencies before they reach your environment.
    No access control over who can publish or install
    Anyone with a repository URL can install packages, and there is no fine-grained control over who can publish new versions. Cloudsmith gives you token-based authentication and role-based permissions at every level.
    Self-hosted CRAN tooling is costing engineering time
    Running miniCRAN, drat, or a custom server means your engineering team is maintaining infrastructure instead of shipping features. Cloudsmith is fully managed so you spend zero time on CRAN server ops.

Get started with R / CRAN on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith provides a fully CRAN-compatible endpoint. You point the repos argument in install.packages() or your .Rprofile at your Cloudsmith repository URL, and R's native tooling works without any modification.

  2. Yes. You can configure the public CRAN registry as an upstream source in Cloudsmith. Cloudsmith then acts as a single point of contact for all R packages, transparently proxying requests to CRAN and optionally caching packages so future installs are served directly from your private repository.

  3. Yes. Cloudsmith CRAN repositories support uploading and serving both source packages (.tar.gz) and binary packages. Binaries can be specified for a particular R version and, for macOS binaries, a specific architecture.

  4. Cloudsmith supports entitlement token authentication and HTTP Basic authentication. You embed credentials in your repository URL or .Rprofile, and your R session or CI pipeline authenticates automatically on every install.packages() call.

  5. Yes. Cloudsmith scans packages for CVEs and malware on ingestion. You can define OPA Rego policies to automatically quarantine, block, or flag packages that breach your security thresholds, so risky dependencies never reach your data science environments.

  6. You upload your existing package tarballs to Cloudsmith via the UI, API, or CLI, then update your .Rprofile or CI configuration to point at your new Cloudsmith repository URL. Cloudsmith provides contextual setup instructions with pre-filled copy-paste snippets inside each repository.

  7. Yes. Cloudsmith's role-based access control lets you grant read or write permissions at the repository, team, or individual token level. You can issue scoped entitlement tokens for CI pipelines and separate credentials for individual contributors.

  8. Yes. When caching is enabled, Cloudsmith fetches and stores packages from the upstream CRAN registry in your private repository. If CRAN is unavailable, your builds resolve packages from the Cloudsmith cache and are not affected by upstream outages.

  9. Yes. Every Cloudsmith repository supports 30+ package formats. You can store R packages, Python wheels, Docker images, and raw model artefacts in the same platform, giving your data science team a single place to manage all software dependencies.

  10. Cloudsmith offers tiered plans including a free trial so you can test private CRAN repository hosting before committing. Visit the pricing page for a full breakdown of plan limits and features, or book a demo to talk through the right plan for your team.

Formats

There’s more than just R on Cloudsmith