Formats/NPM

Private, secure NPM registry management

Cloudsmith gives your JavaScript and Node.js teams a fully managed, private NPM registry with high compatibility with the official npm CLI. Centralise your packages, enforce security policies, and proxy upstream registries - all from a single platform your pipelines can rely on.

Universal format support

Simplify and streamline operations. Cloudsmith is a secure store for all packages, containers and assets.

  • Use NPM + 30 other formats
  • Store Docker container images and npm packages together in one repository
  • Centrally manage ML models, raw assets, and JavaScript packages under one roof

How we support NPM

Cloudsmith gives your teams a fully managed, API-compatible NPM registry without the operational overhead of running your own infrastructure.
    Native npm CLI compatibility
    Cloudsmith provides high-level compatibility with the official npmjs API, so your teams can publish and install packages using the same npm commands they use today - no workflow changes required.
    Vulnerability scanning
    Scan every npm package for CVEs and malware on ingestion. Build automated quarantine and denial policies using OPA Rego to stop vulnerable packages before they reach your pipelines.
    Upstream proxying and caching
    Proxy and cache the public npm registry through Cloudsmith. Your builds pull from a reliable, audited source rather than hitting npmjs.com directly, eliminating registry outage risk.
    Distribution tags and scoped packages
    Full support for distribution tags and scoped package namespaces means you get the same rich versioning and discoverability features your team depends on, running inside your own private registry.
    Entitlement tokens and access control
    Create granular entitlement tokens to control who can push, pull, and manage packages. Pair with SAML SSO and SCIM for enterprise-grade identity management across every npm repository.

Why teams choose Cloudsmith for NPM

Relying on the public npm registry introduces a single point of failure into every build pipeline. Cloudsmith removes that risk and gives your team speed, security, and control.
Without CloudsmithRegistry outages on npmjs.com bring CI/CD pipelines to a halt. Teams sit idle waiting for the public registry to recover, deployments slip, and there is no fallback.
With CloudsmithCloudsmith proxies and caches the public npm registry so your builds pull from a reliable, low-latency source. Registry outages upstream have zero impact on your pipelines.
Without CloudsmithMalicious and typosquatted npm packages reach developer machines before anyone notices. Supply chain attacks exploiting dependency confusion go undetected for days.
With CloudsmithEvery package is scanned for CVEs and malware on ingestion. OPA Rego policies automatically quarantine or deny packages that violate your security rules before they touch a build.
Without CloudsmithInternal packages live in one tool, Docker images in another, and Python packages somewhere else. Teams waste time context-switching between registries and maintaining separate credentials.
With CloudsmithCloudsmith stores npm packages, containers, ML models, and 30+ other formats in a single platform. One set of credentials, one audit log, one security policy - applied everywhere.

Signs you're ready to switch to Cloudsmith for NPM

If your current npm setup is slowing your teams down or leaving security gaps, Cloudsmith gives you a fully managed path forward.
    Registry outages are breaking builds
    npmjs.com has a track record of outages that halt pipelines worldwide. Cloudsmith gives you a cached, always-available proxy so upstream disruptions never reach your teams.
    No visibility into what packages your teams consume
    Without a private registry, you have no audit trail of which npm packages were pulled, by whom, or when. Cloudsmith gives you full client and audit logs across every download.
    Vulnerable packages reaching production
    Pulling directly from the public registry with no scanning layer means malicious or CVE-laden packages can slip through. Cloudsmith scans every package and enforces denial policies automatically.
    Fragmented tooling across teams
    Managing npm in one tool, Docker in another, and Python packages elsewhere is expensive to maintain and impossible to govern consistently. Cloudsmith unifies everything under one platform.
    Access controls that don't scale
    Ad-hoc token management doesn't hold up as teams grow. Cloudsmith's entitlement tokens, SAML SSO, and SCIM provisioning give you enterprise-grade access control across every npm repository.

Get started with NPM on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith provides high-level compatibility with the official npmjs API. You can use the standard npm CLI to publish, install, and manage packages without changing your existing workflows.

  2. Yes. You can configure Cloudsmith as an upstream proxy for the public npmjs registry. Requested packages are cached so subsequent pulls are fast and your builds are insulated from public registry outages.

  3. Yes. Cloudsmith fully supports scoped packages (e.g. @myorg/package). You can publish and install scoped packages using native npm tooling just as you would with the public registry.

  4. Yes. Cloudsmith has full support for distribution tags, following the same rules as npmjs.com. A tag points to one version only, packages can have multiple tags, and the latest tag is managed automatically on publish and delete.

  5. Every npm package pushed to Cloudsmith is scanned for known CVEs and malware. You can configure OPA Rego policies to automatically quarantine or deny packages that violate your security requirements, stopping them before they reach any build pipeline.

  6. You can authenticate using a Cloudsmith API key or an entitlement token scoped to the relevant repository. Entitlement tokens let you issue read-only or read-write credentials with fine-grained permissions for CI systems and individual developers.

  7. Yes. To use npm audit with Cloudsmith you must authenticate with a Cloudsmith API key rather than an entitlement token. Full details are in the Cloudsmith npm documentation.

  8. Yes. All Cloudsmith repositories are multi-format. You can store npm packages alongside Docker images, Python packages, Maven artifacts, and 30+ other formats in the same repository, under a single set of access controls and policies.

  9. You can push packages to Cloudsmith using the native npm CLI, the Cloudsmith CLI, the Cloudsmith web UI, or the REST API. Each repository in Cloudsmith provides contextual setup instructions with copy-paste commands pre-filled with your namespace and repository details.

  10. Yes. Cloudsmith supports SAML SSO and SCIM provisioning, letting you manage user access to npm repositories through your existing identity provider. This applies consistently across all formats stored in Cloudsmith.

Formats

There’s more than just NPM on Cloudsmith