---
title: "Private NPM Registry - Secure, Cloud-Native | Cloudsmith"
description: "Host and distribute private npm packages with Cloudsmith. Full npmjs API compatibility, vulnerability scanning, governance policies, and 600+ edge locations. Trusted by teams like Font Awesome."
canonical_url: "https://cloudsmith.com/product/formats/npm-registry"
last_updated: "2026-05-06T21:25:02Z"
---
# Private NPM Registry - Secure, Cloud-Native | Cloudsmith

## The private **NPM** registry built for teams who can't afford to compromise

Cloudsmith gives you a fully managed, cloud-native NPM registry with high compatibility with the official npmjs API. Use the standard npm CLI to publish, install, and manage packages - while gaining the security controls, governance policies, and global distribution that npmjs.org was never designed to provide.

## Create your own Private NPM Registry with Cloudsmith

NPM (Node Package Manager) is the package manager for JavaScript, it makes it easy to install, update and manage packages for Node.js projects. An NPM registry is a server-side store of npm packages and their metadata. NPM registries can be public - like the official npmjs.org, or a private registry like the one Cloudsmith provides

Universal format support

## **One registry for everything your team ships.** Cloudsmith is a secure, fully managed store for all your packages, containers, and assets.

- Use NPM + 30 other formats in the same registry
- Store Docker container images alongside your Node.js packages
- Centralize raw assets and binary files with your npm dependencies

## How we support **NPM**

Cloudsmith is a drop-in, fully managed NPM registry that gives your teams control, security, and global performance out of the box. No infrastructure to manage, no compromises on capability.

[Read our NPM documentation](https://docs.cloudsmith.com/formats/npm-registry)

### Full npmjs API compatibility

Cloudsmith is fully compatible with the official npm CLI. Point your .npmrc at Cloudsmith and use npm install, npm publish, and npm audit exactly as you do today - no tooling changes required.

### Vulnerability scanning for Node.js packages

Cloudsmith scans your npm packages for known CVEs and malware. Proxy npm audit requests through Cloudsmith to bring all dependency security checks into one controlled, auditable environment.

### Governance policies and quarantine

Create and enforce policies governing which modules are permitted in your repositories. Block specific versions, require specific metadata fields, or quarantine packages that do not meet your criteria before any team member installs them.

### Global distribution via 600+ edge locations

Your npm packages are served from 600+ points of presence around the world. Teams in any region get fast, consistent install times without you managing a single CDN node.

### Upstream proxying and caching

Proxy the public npmjs.org registry through Cloudsmith to cache, scan, and vet every dependency your teams pull in. Eliminate your exposure to public registry outages and supply chain attacks in a single step.

## Why teams choose Cloudsmith for **NPM**

The public npmjs.org registry was built for open-source sharing, not enterprise control. Cloudsmith gives teams the private, governed, high-availability NPM registry that production pipelines actually demand.

| Without Cloudsmith | With Cloudsmith |

| --- | --- |

| Public registry outages halt CI/CD pipelines and block deployments. Teams scramble for workarounds when npmjs.org goes down, losing hours of productive engineering time. | Cloudsmith caches your dependencies at the edge so builds keep running even when upstream registries experience issues. Your pipelines stay green regardless of what happens to the public registry. |

| Any package on npmjs.org can be installed by any developer with no controls in place. Malicious or vulnerable packages reach production before anyone notices. | Cloudsmith scans every npm package for CVEs and enforces governance policies before packages reach your teams. You control which modules, versions, and metadata standards are allowed into your repositories. |

| Teams running self-hosted private registries spend engineering time on infrastructure maintenance, upgrade cycles, and scaling problems as usage grows. | Cloudsmith is fully managed with no infrastructure to operate. You get elasticity, high availability, and global distribution without a single server to maintain, patch, or scale. |

## Signs you're ready to switch to Cloudsmith for **NPM**

If your current npm setup is slowing your team down or leaving you exposed, Cloudsmith is the upgrade. Here are the clearest signals it's time to move.

[Book a demo with one of our experts](/book-a-demo)

### You have no visibility into what packages your teams are installing

Without a private registry, you cannot see, audit, or govern what enters your build pipelines. Cloudsmith gives you full audit logs, package insights, and policy enforcement across every npm install.

### Registry downtime is breaking your builds

Relying directly on npmjs.org is a single point of failure for every pipeline you run. Cloudsmith's caching and edge network give your builds resilience against public registry disruptions.

### Your self-hosted registry is becoming a maintenance burden

Verdaccio, Nexus, and Artifactory require ongoing ops effort to keep running, patched, and scaled. Cloudsmith is fully managed so your engineers focus on product, not infrastructure.

### You need to distribute packages to customers or external teams

npmjs.org has no concept of controlled external distribution. Cloudsmith gives you entitlement tokens, scoped access, and public or private registries to distribute packages on your terms.

### Your packages are scattered across multiple tools

If your npm packages live separately from your Docker images, Maven artifacts, or Python wheels, consolidating onto Cloudsmith gives you a single control plane for your entire software supply chain.

## Get started with **NPM** on Cloudsmith

[Book a demo](/book-a-demo)

[View pricing](/pricing)

## Frequently asked questions

### Does Cloudsmith work with the standard npm CLI?

Yes. Cloudsmith provides high compatibility with the official npmjs API, so you can use the npm CLI to install, publish, and manage packages without changing your tooling. You simply point your .npmrc at your Cloudsmith registry endpoint.

### How do I authenticate against a Cloudsmith npm registry?

Cloudsmith supports two authentication methods for npm: Entitlement Token Authentication and HTTP Basic Authentication. You configure these in your .npmrc file or via npm login. For npm audit specifically, you must authenticate using a Cloudsmith API key.

### Can Cloudsmith scan my npm packages for vulnerabilities?

Yes. Cloudsmith scans npm packages for known CVEs and malware. Node.js is a supported format for vulnerability scanning. You can also proxy npm audit requests through Cloudsmith, bringing dependency security checks into a single controlled environment.

### Can I proxy and cache packages from the public npmjs.org registry?

Yes. Cloudsmith supports upstream proxying of npmjs.org. When a package is requested, Cloudsmith fetches it from the upstream, caches it, and serves it from the edge. This protects your builds from public registry outages and lets Cloudsmith scan every transitive dependency before it reaches your team.

### Can I enforce policies on which npm packages are allowed in my repositories?

Yes. Cloudsmith's policy engine lets you govern which modules, versions, and package metadata are permitted. You can block specific versions, require specific metadata fields, or quarantine packages that do not meet your criteria - all before any team member can install them.

### Is Cloudsmith used by teams with demanding npm requirements?

Yes. Font Awesome uses Cloudsmith as a core part of their infrastructure for npm package distribution. After migrating from an unreliable paid registry, Cloudsmith gave them a rock-solid platform for serving packages to every customer they have. Cloudsmith is a proven choice for teams that need to control, secure, and distribute npm packages at scale.

### Can I store npm packages alongside other formats like Docker or Maven?

Yes. Cloudsmith repositories are multi-format, meaning you can store npm packages, Docker images, Maven artifacts, Python wheels, and 30+ other formats in the same repository. This gives you a single control plane for your entire software supply chain.

### How does Cloudsmith distribute npm packages globally?

Cloudsmith serves packages from 600+ edge points of presence around the world. Teams in any region get fast, consistent install times without you needing to operate or maintain any CDN infrastructure.

### Can I create both public and private npm registries on Cloudsmith?

Yes. Cloudsmith supports both public and private npm registries. You control visibility at the repository level, and use entitlement tokens or API keys to manage access for internal teams or external customers.

### How do I migrate from my existing private npm registry to Cloudsmith?

Migration is straightforward. You update your .npmrc to point to Cloudsmith, republish your private packages, and optionally configure an upstream proxy to serve public packages via Cloudsmith from that point forward. Cloudsmith's team can walk you through the process during a demo.

### Is Cloudsmith built for production-scale npm workloads?

Yes. Cloudsmith is built to handle massive scale and is trusted as critical infrastructure by teams like Font Awesome, who use Cloudsmith to distribute npm packages to every one of their customers. Whether you are serving internal teams across a large enterprise or distributing packages to thousands of external consumers, Cloudsmith gives you the reliability, performance, and global reach your production pipelines depend on.
