Package Search Help

You can use boolean logic (e.g. AND/OR/NOT) for complex search queries. For more help and examples, see the search documentation.

Search by package name:
my-package (implicit)
name:my-package (explicit)

Search by package filename:
my-package.ext (implicit)
filename:my-package.ext (explicit)

Search by package tag:
latest (implicit)
tag:latest (explicit)

Search by package version:
1.0.0 (implicit)
version:1.0.0 (explicit)
prerelease:true (prereleases)
prerelease:false (no prereleases)

Search by package architecture:

Search by package distribution:

Search by package license:

Search by package format:

Search by package status:

Search by package file checksum:

Search by package security status:

Search by package vulnerabilities:

Search by # of package downloads:

Search by package type:

Search by package size (bytes):

Search by dependency name/version:

Search by uploaded date:
uploaded:>"1 day ago" 
uploaded:<"August 14, 2022 EST" 

Search by entitlement token (identifier):

Search by policy violation:

Search by repository:

Search queries for all Debian-specific (and related) package types

Search by component:

Search queries for all Maven-specific (and related) package types

Search by group ID:

Search queries for all Docker-specific (and related) package types

Search by image digest:
(full hashref only)

Search by layer digest:
(full hashref only)

Field type modifiers (depending on the type, you can influence behaviour)

For all queries, you can use:
~foo for negation

For string queries, you can use:
^foo to anchor to start of term
foo$ to anchor to end of term
foo*bar for fuzzy matching

For number/date or version queries, you can use:
>foo for values greater than
>=foo for values greater / equal
<foo for values less than
<=foo for values less / equal

Need a secure and centralised artifact repository to deliver Alpine, Cargo, CocoaPods, Composer, Conan, Conda, CRAN, Dart, Debian, Docker, Go, Helm, Hex, LuaRocks, Maven, npm, NuGet, P2, Python, RedHat, Ruby, Swift, Terraform, Vagrant, Raw & More packages?

Cloudsmith is the new standard in Package / Artifact Management and Software Distribution.

With support for all major package formats, you can trust us to manage your software supply chain.

Start My Free Trial
 Public spatialos spatialos / gdk-for-unity
GDK for Unity: NPM packages to be used with the SpatialOS GDK for Unity

Format-Specific Setup

To find out how to get setup locally so you can easily install packages, please select one of the formats from the tabs above.

Please note that the term repository here is Cloudsmith's concept of a package or artifact collection, and should not be confused with other package format specific meanings (such as the term as it is used by Docker, to mean a tagged image).

Note: Only help for package formats that exist in this repository is shown. You can also see the help for all package formats.

Need Help?

If you couldn't find what you needed in our documentation, then you can always chat to a member of our team instead. It's our mission to be your dedicated off-site team for package management, and we mean it. Come and chat with us, anytime.

npm logo

npm Registry Setup

Npm is the package manager of choice for the Javascript/Node ecosystem. Cloudsmith is fully compatible as an npmjs-like registry.

The following instructions are for npm or compatible packages only.

Registry Setup

There are two ways to tell npm to use a Cloudsmith-based npm registry:

  1. Set the registry as the default globally, per-user or per-project.
  2. Provide the registry URL when executing npm commands.

Set Default Registry

To use/set the registry as the default for your user, execute the following:

npm config set registry

You can set it globally (with permissions) by using the -g argument.

Alternatively, you can add it directly to your user or project .npmrc file:


Note: Setting the registry globally will impact all npm commands, unless they explicitly override the registry.

Specify Registry During Commands

You can specify the registry each time you execute npm commands, such as:

npm install lodash --registry=


Read-Only Authentication (Installing)

For a public registry, you do not provide authentication for read-only contexts, such as installing packages:

npm install awesome-package

npm Scopes

You can namespace your registry and packages using npm scopes.

Scoped Registry

Using a registry scope tells npm to route installs for packages in that scope to Cloudsmith.

You can set it via the command-line using:

npm config set '@cloudsmith:registry'

You can also set it directly in your user or project .npmrc file:


Note: You should replace @cloudsmith in the above with your own scope name.

Scoped Packages

Using a package scope provides a different namespace to other similarly named packages to differentiate them.

Installing packages with a scope requires putting the scope before the name:

npm install @cloudsmith/awesome-package

You can find out more about scoped packages (on

Note: You should replace @cloudsmith in the above with your own scope name.

Distribution Tags

Distribution tags allow npm packages to be tagged with a mnemonic that is associated with a specific package version.

These can be used as an alternative to the package version when installing packages, such as:

npm install awesome-package@beta --registry=

Cloudsmith has full support for distribution tags and (mostly) follows the same rules for them as on

  1. A specific tag can point at one version of a package only.
  2. A package version may have multiple unique tags.
  3. Unless specified otherwise, the default tag for the last package published is latest.
  4. When a package that is latest is deleted, the tag is moved to the next applicable version by semver.

You can inspect a package to see what tags it has:

npm dist-tags ls awesome-package --registry=
(out)latest: 1.0.0
(out)beta: 2.0.0

You can find out more about distribution tags (on

Transparent Upstream Proxying

Cloudsmith supports transparent proxying of install requests to/from

When enabled, requests for packages that don't exist in the registry will be automatically proxied:

npm install lodash@4.17.11 --registry=''
(out)+ lodash@4.17.11
(out)updated 1 package in 2.743s

In this case, lodash didn't exist in the registry and was proxied. This also applies automatically when npm is installing dependencies for your package. It will load them from the registry automatically and transparently proxy them.

Warning: If transparent upstream proxying is disabled for the registry then you will need to fetch all dependencies of your packages manually. These can then be published into the registry, or you can bundle them with bundleDependencies.

Security Auditing

Cloudsmith supports proxying of npm audit requests to detect vulnerabilities in dependencies:

npm audit
(out)                       === npm audit security report ===
(out)found 0 vulnerabilities
(out) in 1 scanned package

You can find out more about security auditing (on

Yarn Compatibility

Assuming that you have always-auth enabled, Yarn is immediately compatible with Cloudsmith registries:

yarn add lodash@4.17.11 --registry=
(out)[1/5] Validating package.json...
(out)[2/5] Resolving packages...
(out)[3/5] Fetching packages...
(out)[4/5] Linking dependencies...
(out)[5/5] Building fresh packages...
(out)success Saved lockfile.
(out)success Saved 1 new dependency.
(out)info Direct dependencies
(out)└ lodash@4.17.11
(out)info All dependencies
(out)└ lodash@4.17.11

To enable always-auth, add it to your user or project .npmrc file:


Need Help?

If you couldn't find what you needed in our documentation, then you can always chat to a member of our team instead. It's our mission to be your dedicated off-site team for package management, and we mean it. Come and chat with us, anytime.

What's this page? You can always download packages from Cloudsmith manually, but native package manager setup allows you to simplify and automate downloads. A native package manager has intelligence built-in that allows it to understand concepts like metadata, versioning, duplication, convergence, etc. As such, we will always recommend that you install natively where possible. Learn more in the setup documentation.