All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Added Alpine Upstream support for managing upstream configurations.

• Added --tag option to download command for filtering packages by tags
• Added download command documentation to README with comprehensive usage examples
• Added --filename option to download command for filtering by package filename, with support for glob patterns (e.g., --filename '*.snupkg')
• Added --download-all flag to download command to download all matching packages instead of erroring on multiple matches
• Multiple packages table now includes a Filename column for easier disambiguation

• Added vulnerabilities command to retrieve security scan results for a package
  • Summary View (Default): Displays a high-level count of vulnerabilities broken down by severity (Critical, High, Medium, Low, Unknown).
  • Assessment View --show-assessment (-A): Provides a detailed breakdown where vulnerabilities are:
    • Grouped by the specific affected upstream package / dependency.
    • Sorted by severity (Critical first).
    • Richly formatted tables.
  • Filtering Capabilities:
    • By Severity: --severity Show only specific levels (e.g., just Critical and High).
    • By Status: --fixable | --non-fixable Filter to show only "Fixable" vulnerabilities (where a patch exists) or "Non-Fixable" ones.
  • Supports --output-format json | pretty_json for programmatic usage

• Added vulnerabilities command to retrieve security scan results for a package
  • Summary View (Default): Displays a high-level count of vulnerabilities broken down by severity (Critical, High, Medium, Low, Unknown).
  • Assessment View --show-assessment (-A): Provides a detailed breakdown where vulnerabilities are:
    • Grouped by the specific affected upstream package / dependency.
    • Sorted by severity (Critical first).
    • Richly formatted tables.
  • Filtering Capabilities:
    • By Severity: --severity Show only specific levels (e.g., just Critical and High).
    • By Status: --fixable | --non-fixable Filter to show only "Fixable" vulnerabilities (where a patch exists) or "Non-Fixable" ones.
  • Supports --output-format json | pretty_json for programmatic usage

• Added CLOUDSMITH_NO_KEYRING environment variable to disable keyring usage globally. Set CLOUDSMITH_NO_KEYRING=1 to skip system keyring operations.
• Added --request-api-key flag to cloudsmith auth command for fully automated, non-interactive API token retrieval. Auto-creates a token if none exists, or auto-rotates (with warning) if one already exists. Compatible with --save-config and CLOUDSMITH_NO_KEYRING.
• Added --verbose (-v) flag to cloudsmith whoami to show detailed authentication information including active method (API Key or SSO Token), credential source, token metadata, and SSO status. Supports --output-format json.
• Added cloudsmith logout command to clear stored authentication credentials and SSO tokens.
  • Clears credentials from credentials.ini and SSO tokens from the system keyring
  • --keyring-only to only clear SSO tokens from the system keyring
  • --config-only to only clear credentials from credentials.ini
  • --dry-run to preview what would be removed without making changes
  • Supports --output-format json for programmatic usage

• The --token flag on cloudsmith auth is deprecated. Use --request-api-key instead.
• The --force flag on cloudsmith auth is deprecated. Use --request-api-key instead (force behavior is implied).
• The --json flag on cloudsmith auth is deprecated. Use --output-format json instead.

• Added Model Context Protocol (MCP) server support via cloudsmith mcp commands. Only STDIO transport is supported for now.
• Auto-configure supported clients (Claude Desktop, Cursor, VS Code, Gemini CLI) with cloudsmith mcp configure
• List available tools with cloudsmith mcp list_tools and tool groups with cloudsmith mcp list_groups
• Filter tools via mcp_allowed_tools and mcp_allowed_tool_groups configuration options to control which API operations are exposed

• Added Generic Format support for pushing packages to repositories.
• Added Upstream support for managing upstream proxy configurations.

• Migrate from CircleCI to GitHub Actions for testing and release workflows.
• Remove CircleCI workflows.
• Migrate from using shiv for zipapp generation to pex in order to support specific platform/arch and improve testing framework.
• Add zizmor for GitHub Actions code scans, part of workflow and pre-commit.
• Support output format for --version in order to allow JSON parsing.

• The --json flag used in cloudsmith auth command will be removed in upcoming releases. Please migrate to --output-format json instead.

• Fixed JSON output for all commands
  • Informational messages, warnings, and interactive prompts are now routed to stderr when --output-format json is active.
  • Error messages are now formatted as structured JSON on stdout when JSON output is requested.

• Set --show-all to alias --page-all
• Add the ability to use a shortcut within --page-size to use pass -1 or * to retrieve all pages i.e. --page-size -1 or --page-size * (note the wildcard may require escaping in some shell environments)
• Added support for deny policy management commands (list, create, get, update, delete)

• Issue #250 - Updated requests_toolbelt dependency to >=1.0.0 to ensure compatibility with urllib3>=2.5 and avoid urllib3.contrib.appengine import errors.

• Fixed quarantine block/add command

• Upgraded urllib3 from v1.26.20 to v2.5.0.
• Added mock_keyring fixture to prevent SSO token refresh attempts during individual test_rest.py test which runs in pipelines (full suite passes). Caused by HTTPretty issue 484.
• Entitlement token list command now fixed
• Drop click dependency from v8.2.0 to v8.1.8 to fix dependency issue for Python 3.9

No code changes in this release. Version bump performed for release process consistency and to address packaging/metadata updates.

• [Issue-170] - Add flag to get all pages

• Issue-235 - Fix for latest zipapp releases not working on < python@3.14

• Click v8.3.0 was a breaking update which impacted conversion of Sentinel.UNSET values which impacted the auth --token workflow. Locking to 8.2.x versions and restricted 8.3.0 explicitly.

• New minor version release includes v1.8.8 changes.

• --json flag for the auth command now outputs json only.

• Added Python 3.14 support
• Added download command to download package binaries directly from Cloudsmith repositories
  • Support for downloading packages with version, format, OS, and architecture filters
  • Progress bar with download speed and size information
  • Automatic checksum verification (MD5, SHA256, SHA1)
  • Dry-run mode to preview downloads without downloading
  • Auto-selection mode with --yes flag for scripting
  • --all-files option to download all associated files (POM, sources, javadoc, SBOM, etc.) for Maven, NuGet, and other multi-file packages
    • Downloads all files into a folder named {package-name}-{version}
    • Supports custom output directory with --outfile option
    • Shows file type tags (pkg, pom, sources, javadoc, cyclonedx, sbom)
    • Reports download progress and success/failure summary for each file

• Cloudsmith auth -o <org> --token now creates a new token if none previously existed.
• Added support for json output for auth via --json param.
• Added new create command for tokens. If authenticated and no previous token exists, this allows for new token creation.

• Added --force parameter to the Auth command to be used in conjunction with --token to refresh tokens without interactive prompts i.e automatic.
• Added --force parameter to the Tokens refresh command to automatically refresh without an interactive prompt.

• Support for Conda, Cargo, Go, and Hugging Face upstreams (#214)

• Added 'swift' and 'hex' as available upstream formats.

• Make an sdist available as part of the release.

• Fix bug that caused configuration to be dropped in the authenticate command.
• Fix bug in the default configuration schema.

• Added support for managing User API Tokens (#192)

• Added a fix for certain login error messages being suppressed (#196)

• Added support for 2FA authentication when logging in (#188)

• Added --extra-files parameter for Maven upload command (#190)

• Added html templates for saml response endpoints
• Added json support for whoami
• Added support for additional headers to be passed to the saml authentication flow

• Added --sort flag for package list command (#185)

• Fixed cloudsmith auth command where it results in 403 (#183)

• Update cloudsmith-api to v2.0.16 (#181)

• Dropped support for Python 3.8. (#137)

• Missing dependency from setup.py file (#177)

• The auth command, enabling users to authenticate against the API with their organization's configured SAML provider (#174)

• Produce CLI zipapp artefact on release (#164)

• Show pagination info for repos get (#163)

• Support for Swift package uploads (#161)

• Support for CRAN upstreams (#157)

• Revert change to urllib3 Retry constructor method_whitelist/allowed_methods kwarg (#148)

• Added support for large file uploads (#143)

• Removed more unused dependencies relating to python 2.7 compatibility (#142)

• Dropped support for EOL versions of Python (<3.8). (#134)

• Added upstream commands (#131)

• Added --sbt-version and --scala-version support for maven upload (#128)

• Added --ivy-file support for maven upload (#125)

• Removed type annotations from maybe_truncate_list and maybe_truncate_string to fix python 2.7 support (#120)

• Added support for package_query_string to license and vulnerability policy management (#118)

• cloudsmith whoami no longer errors for Services (#116)

• Added support for license policy management (#113)

• Added support for vulnerability policy management (#111)

• Write Python 2 deprecation message to stderr. (#109)

• Added deprecation warning to output for Python 2. (#106)

• Updated incorrect push format parameter descriptions.

• Pinned urllib3 due to it dropping support for py2.

• Try harder to find a user's ~/.cloudsmith across operating systems, so config files are found.

• Revert minimum allowed version of click to 7.0.0.

• Bump minimum allowed version of click to 8.0.3.

• Temporarily disable client-side validation within the cloudsmith-api.

• Fixed an issue where datetime objects couldn't be serialised when outputting as JSON.

• Updated to support cloudsmith-api v.2.0.0

• Fixed a typo in permission exceptions.
• Removed linting noqas from help docs.

• add '.' to config search paths (#78)

• add quarantine add/rm command (#80)

• Update API client initialization to support newer versions of cloudsmith-api.

• Fixed issue with JSON-based output for the dependencies command.

• Added the cloudsmith dependencies sub-command, to list package dependencies.

• The ordering of the columns in the quota command has been fixed.

• cloudsmith push will now pause/sleep the process when calling the status endpoint during pushes (thanks to bagoston).

• Documentation generation for PyPi was broken; converted to markdown and fixed.

Documentation release.

Documentation release.

• Automatic releasing of CLI via CircleCI fixed.

• Support for Python 2 with the new package and token metrics changes

Note: This release requires cloudsmith-api >= 0.57.1.

• Rework package and token metrics

Note: This release requires cloudsmith-api >= 0.54.15.

• Support for Organization Usage Metrics API
• Fix for rendering Entitlement Token restrictions via the CLI

• Fixed formatting JSON results for the metrics and quota commands; -F json should work now.

Note: This release requires cloudsmith-api >= 0.53.79.

• Resolves breaking changes in Bandwidth Usage Metrics.

• Implements Bandwidth controls for Entitlment Tokens.

• The builtin rate-limiting will no longer throttle at exit (prevents hanging on shutdown).
• The builtin rate-limiting will display a message when throttled by 429 responses.

• The push command will now display how long it took to sync/fail a package upload.

• The synch wait interval is now a minimum bound, and increases over time.

• The synch progress bar will now display immediately, instead of being delayed.

Note: This release requires cloudsmith-api >= 0.53.3.

• Support for Quota API limits & history

• Fixed Python3 compatibility (removed f-string)

Note: This release requires cloudsmith-api >= 0.52.92.

• Support for Package Usage Metrics API

Note: This release requires cloudsmith-api >= 0.52.79.

• Support for Usage Metrics API

Note: This release requires cloudsmith-api >= 0.52.0.

• Support for package tagging: list, add, clear, remove and replace tags.
• Support for debian DSC (source file) uploading.

• Publishing a duplicate package without specifying --publish or --no-republish will now default to the repository republish settings.

• Support for Terraform modules.
• Update for (C/C++) Conan push command to allow an optional name and version to be provided.

• Update for (C/C++) Conan packages.

• Support for (C/C++) Conan packages.

• Support for repositories API and subcommands (list, create, retrieve, update and delete).

• Version specifier set by 0.20.0 wasn't compatible with older versions of Python.

Note: This release pins the Cloudsmith API library to version 0.x due to changes in the versioning of the library. If you're having issues with an older version of the CLI that installs the latest API, please upgrade your CLI version, or install cloudsmith-api==0.49.94.

• Pinned the Cloudsmith API library version to 0.x+ (excl. 1.x+ series).

• Credentials config file not being populated with API key by cloudsmith login.

• Missing README information on PyPi.

• Support for (Objective-C and Swift) CocoaPod packages.

• Support for (Google) Dart packages.

• Fixed issue with displaying entitlements.

• Regression with the cloudsmith login and cloudsmith token commands where they didn't execute correctly.

• cloudsmith login command (so that it is properly recognised) (thanks to @robmadole for reporting).

• Upgraded suggested version of python-click to >=7.0.
• Renamed the cloudsmith token command to cloudsmith login (token still works).

• Parsing of booleans from config files.
• Tolerance of booleans without values in config files (thanks to @Mno-hime for reporting).

• Support for --content-type when uploading Raw packages.

• Support for NuGet packages (via API update).

• Support for --without-api-ssl-verify to turn off SSL verification.

• Support for Go modules.

• Support for R/CRAN packages.

• Ordering of parameter decorators.

• Support for LuaRocks modules.

• Removed duplicated --dry-run parameter in push command (thanks to @SeanTAllen of @ponylang).

• Support for Cargo registry crates.

• Support for Docker registry image containers.

• Issue with executing in py2/py3 using entrypoint.

• Support for Helm repository charts/packages (https://github.com/helm/charts).
• Support for republishing packages (overwrite existing versions).

• Python 3.x compatibility due to not decoding request responses properly.

• 501, 502, 503 and 504 errors received from the API will now be retried, with exponential backoff.

• Entitlement command output will now respect pretty format properly and not send non-output to sysout.

• Support for Alpine Linux and NPM/npm packages.
• Updated and pinned cloudsmith-api dependency to 0.32.11.

• Compatibility with upcoming API changes for listing repositories.

• Regression in listing packages caused by typo.

• When calling ls repos, the CLI will now list all repositories that the user can see.

• Compatibility with API changes for listing repositories.

• Pinned cloudsmith-cli to 0.30.7 to fix issues with entitlements actions.

• Updated and pinned cloudsmith-api dependency to 0.30.3.
• Added support for latest API (0.30.x+) which changed how packages are referenced (slug -> identifier).
• Added support for latest API (0.30.x+) which changed how entitlements are referenced (slug_perm -> identifier).

• Always print rate limit information at exit (if throttled).

• #5: Credentials file not loading when explicitly specified via command-line parameter.
• #6: Ensure that a non-zero status is always returned on errors/failures.
• Exit with an error after running out of sync attempts.

• Issue with entitlements create command crashing because --name was left off.

• Issue with the move subcommand due to typo in string formatting.

• Issue with entitlements due to issue in API library.

• Issue with status subcommand failing due to API mismatch.

• Issue with package synchronisation stalling due to typo in status check.

• Display status reason text when a package fails, and give up attempting if it was fatal.

• Support for aliased subcommands, starting with delete = rm, list = ls and push = upload.
• Support for retrieving rate limits from the API via check limits.
• Support for searching packages via -q|--query search query parameter.
• Support for copy (cp), move (mv) and resync package subcommands.
• Support for automatic resyncing when the sync fails (attempts can be controlled using --sync-attempts).
• Support for formatting the output of list subcommands (distros, packages and json) as JSON using -F or --output-format).
• Support for entitlements API and subcommands (list, create, update, delete, refresh and sync).
• Automatic rate limiting based on usage across all API calls (it can be turned off using -R).
• Utility for printing tables (internal only, but expect consistent tables for list-based results).

• Minimum API version required is now 0.26.0+.
• The check command is now a list of sub-commands, and check service is now for checking the service status.

• Support for pagination (page and page size) for lists, such as listing packages and repositories.

• Made documentation for cloudsmith push clearer for formats that support distro/release.
• Serialization for API headers (especially Authorization) - No impact for most users.

• When writing a default credentials.ini file, use ug+rw for permissions instead of world-readable.

• Issue #2: Not able to upload in Python3-based environments due to code incompatibility.

• Silly (but nice) ASCII art banner for help command.
• Default creds/non-creds config files are now created/initialised on cloudsmith token.
• Support for CLOUDSMITH_CONFIG_FILE and CLOUDSMITH_CREDENTIALS_FILE environment variables.
• Support for adding arbitrary headers to the API via --api-headers and CLOUDSMITH_API_HEADERS.

• Pin for cloudsmith-api is now correctly set to 0.21.3.

Phase 2 release.

• Configuration profiles, to support multiple environments.
• Options for api_host, api_proxy and api_user_agent in config file.
• The help command for those who need more than -h and --help.
• Support for uploading multiple package files at once.
• Tox-based testing for Python2.x and Python3.x.
• Pre-flight checks to push/upload command.
• The list command with support for listing distros, packages and repos.

• Environment variables to use a CLOUDSMITH_ prefix (not backwards compatible).

• Validation for push commands that require a distribution.
• Token endpoint failing because API key overrides login/password.
• Python3 compatibility so that it now runs with Py3. :-)

Phase 1 release (initial release).