Formats/NPM

The private NPM registry built for teams who can't afford to compromise

Cloudsmith gives you a fully managed, cloud-native NPM registry with high compatibility with the official npmjs API. Use the standard npm CLI to publish, install, and manage packages - while gaining the security controls, governance policies, and global distribution that npmjs.org was never designed to provide.

Universal format support

One registry for everything your team ships. Cloudsmith is a secure, fully managed store for all your packages, containers, and assets.

  • Use NPM + 30 other formats in the same registry
  • Store Docker container images alongside your Node.js packages
  • Centralize raw assets and binary files with your npm dependencies

How we support NPM

Cloudsmith is a drop-in, fully managed NPM registry that gives your teams control, security, and global performance out of the box. No infrastructure to manage, no compromises on capability.
    Full npmjs API compatibility
    Cloudsmith is fully compatible with the official npm CLI. Point your .npmrc at Cloudsmith and use npm install, npm publish, and npm audit exactly as you do today - no tooling changes required.
    Vulnerability scanning for Node.js packages
    Cloudsmith scans your npm packages for known CVEs and malware. Proxy npm audit requests through Cloudsmith to bring all dependency security checks into one controlled, auditable environment.
    Governance policies and quarantine
    Create and enforce policies governing which modules are permitted in your repositories. Block specific versions, require specific metadata fields, or quarantine packages that do not meet your criteria before any team member installs them.
    Global distribution via 600+ edge locations
    Your npm packages are served from 600+ points of presence around the world. Teams in any region get fast, consistent install times without you managing a single CDN node.
    Upstream proxying and caching
    Proxy the public npmjs.org registry through Cloudsmith to cache, scan, and vet every dependency your teams pull in. Eliminate your exposure to public registry outages and supply chain attacks in a single step.

Why teams choose Cloudsmith for NPM

The public npmjs.org registry was built for open-source sharing, not enterprise control. Cloudsmith gives teams the private, governed, high-availability NPM registry that production pipelines actually demand.
Without CloudsmithPublic registry outages halt CI/CD pipelines and block deployments. Teams scramble for workarounds when npmjs.org goes down, losing hours of productive engineering time.
With CloudsmithCloudsmith caches your dependencies at the edge so builds keep running even when upstream registries experience issues. Your pipelines stay green regardless of what happens to the public registry.
Without CloudsmithAny package on npmjs.org can be installed by any developer with no controls in place. Malicious or vulnerable packages reach production before anyone notices.
With CloudsmithCloudsmith scans every npm package for CVEs and enforces governance policies before packages reach your teams. You control which modules, versions, and metadata standards are allowed into your repositories.
Without CloudsmithTeams running self-hosted private registries spend engineering time on infrastructure maintenance, upgrade cycles, and scaling problems as usage grows.
With CloudsmithCloudsmith is fully managed with no infrastructure to operate. You get elasticity, high availability, and global distribution without a single server to maintain, patch, or scale.

Signs you're ready to switch to Cloudsmith for NPM

If your current npm setup is slowing your team down or leaving you exposed, Cloudsmith is the upgrade. Here are the clearest signals it's time to move.
    You have no visibility into what packages your teams are installing
    Without a private registry, you cannot see, audit, or govern what enters your build pipelines. Cloudsmith gives you full audit logs, package insights, and policy enforcement across every npm install.
    Registry downtime is breaking your builds
    Relying directly on npmjs.org is a single point of failure for every pipeline you run. Cloudsmith's caching and edge network give your builds resilience against public registry disruptions.
    Your self-hosted registry is becoming a maintenance burden
    Verdaccio, Nexus, and Artifactory require ongoing ops effort to keep running, patched, and scaled. Cloudsmith is fully managed so your engineers focus on product, not infrastructure.
    You need to distribute packages to customers or external teams
    npmjs.org has no concept of controlled external distribution. Cloudsmith gives you entitlement tokens, scoped access, and public or private registries to distribute packages on your terms.
    Your packages are scattered across multiple tools
    If your npm packages live separately from your Docker images, Maven artifacts, or Python wheels, consolidating onto Cloudsmith gives you a single control plane for your entire software supply chain.

Get started with NPM on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith provides high compatibility with the official npmjs API, so you can use the npm CLI to install, publish, and manage packages without changing your tooling. You simply point your .npmrc at your Cloudsmith registry endpoint.

  2. Cloudsmith supports two authentication methods for npm: Entitlement Token Authentication and HTTP Basic Authentication. You configure these in your .npmrc file or via npm login. For npm audit specifically, you must authenticate using a Cloudsmith API key.

  3. Yes. Cloudsmith scans npm packages for known CVEs and malware. Node.js is a supported format for vulnerability scanning. You can also proxy npm audit requests through Cloudsmith, bringing dependency security checks into a single controlled environment.

  4. Yes. Cloudsmith supports upstream proxying of npmjs.org. When a package is requested, Cloudsmith fetches it from the upstream, caches it, and serves it from the edge. This protects your builds from public registry outages and lets Cloudsmith scan every transitive dependency before it reaches your team.

  5. Yes. Cloudsmith's policy engine lets you govern which modules, versions, and package metadata are permitted. You can block specific versions, require specific metadata fields, or quarantine packages that do not meet your criteria - all before any team member can install them.

  6. Yes. Font Awesome uses Cloudsmith as a core part of their infrastructure for npm package distribution. After migrating from an unreliable paid registry, Cloudsmith gave them a rock-solid platform for serving packages to every customer they have. Cloudsmith is a proven choice for teams that need to control, secure, and distribute npm packages at scale.

  7. Yes. Cloudsmith repositories are multi-format, meaning you can store npm packages, Docker images, Maven artifacts, Python wheels, and 30+ other formats in the same repository. This gives you a single control plane for your entire software supply chain.

  8. Cloudsmith serves packages from 600+ edge points of presence around the world. Teams in any region get fast, consistent install times without you needing to operate or maintain any CDN infrastructure.

  9. Yes. Cloudsmith supports both public and private npm registries. You control visibility at the repository level, and use entitlement tokens or API keys to manage access for internal teams or external customers.

  10. Migration is straightforward. You update your .npmrc to point to Cloudsmith, republish your private packages, and optionally configure an upstream proxy to serve public packages via Cloudsmith from that point forward. Cloudsmith's team can walk you through the process during a demo.

  11. Yes. Cloudsmith is built to handle massive scale and is trusted as critical infrastructure by teams like Font Awesome, who use Cloudsmith to distribute npm packages to every one of their customers. Whether you are serving internal teams across a large enterprise or distributing packages to thousands of external consumers, Cloudsmith gives you the reliability, performance, and global reach your production pipelines depend on.

Formats

There’s more than just NPM on Cloudsmith