Supported package managers and functionality
The GitLab package registry supports different functionalities for each package type. This support includes publishing and pulling packages, request forwarding, managing duplicates, and authentication.
Supported package managers
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Not all package manager formats are ready for production use.
The package registry supports the following package manager types:
| Package type | Status |
|---|---|
| Composer | Beta |
| Conan 1 | Experiment |
| Conan 2 | Experiment |
| Debian | Experiment |
| Generic packages | Generally available |
| Go | Experiment |
| Helm | Beta |
| Maven | Generally available |
| npm | Generally available |
| NuGet | Generally available |
| PyPI | Generally available |
| Ruby gems | Experiment |
You can also use the API to administer the package registry.
Publishing packages
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Packages can be published to your project, group, or instance.
| Package type | Project | Group | Instance |
|---|---|---|---|
Maven (with mvn) |
Yes | No | No |
Maven (with gradle) |
Yes | No | No |
Maven (with sbt) |
No | No | No |
| npm | Yes | No | No |
| NuGet | Yes | No | No |
| PyPI | Yes | No | No |
| Generic packages | Yes | No | No |
| Terraform | Yes | No | No |
| Composer | No | Yes | No |
| Conan 1 | Yes | No | Yes |
| Conan 2 | Yes | No | No |
| Helm | Yes | No | No |
| Debian | Yes | No | No |
| Go | Yes | No | No |
| Ruby gems | Yes | No | No |
Pulling packages
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Packages can be pulled from your project, group, or instance.
| Package type | Project | Group | Instance |
|---|---|---|---|
Maven (with mvn) |
Yes | Yes | Yes |
Maven (with gradle) |
Yes | Yes | Yes |
Maven (with sbt) |
Yes | Yes | Yes |
| npm | Yes | Yes | Yes |
| NuGet | Yes | Yes | No |
| PyPI | Yes | Yes | No |
| Generic packages | Yes | No | No |
| Terraform | No | Yes | No |
| Composer | Yes | Yes | No |
| Conan 1 | Yes | No | Yes |
| Conan 2 | Yes | No | No |
| Helm | Yes | No | No |
| Debian | Yes | No | No |
| Go | Yes | No | Yes |
| Ruby gems | Yes | No | No |
Forwarding requests
- Tier: Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Prerequisites:
- On GitLab.com: You must be the Owner of the group.
- On GitLab Self-Managed: You must be an administrator.
When a package is not found in your project's package registry, requests are forwarded to the corresponding public registry of the package manager.
The default forwarding behavior varies by package type and can introduce a dependency confusion vulnerability. The table below shows which package managers support package forwarding.
To reduce the associated security risks:
- Verify the package is not being actively used.
- Implement a version control tool, like Git, to track changes to packages.
- Turn off request forwarding:
- Instance administrators can disable forwarding in the Admin area. For more information, see Control package forwarding.
- Group owners can turn off package forwarding in the group settings.
To turn off request forwarding for a group:
- On the top bar, select Search or go to and find your group.
- On the left sidebar, select Settings > Packages and registries.
- Under Package forwarding, clear either of the following checkboxes:
- Forward npm package requests
- Forward PyPI package requests
- Select Save changes.
| Package type | Supports request forwarding | Security considerations |
|---|---|---|
Maven (with mvn) |
Yes (disabled by default) | Requires explicit opt-in for security. |
Maven (with gradle) |
Yes (disabled by default) | Requires explicit opt-in for security. |
Maven (with sbt) |
Yes (disabled by default) | Requires explicit opt-in for security. |
| npm | Yes | Consider disabling for private packages. |
| PyPI | Yes | Consider disabling for private packages. |
| NuGet | No | No |
| Generic packages | No | No |
| Terraform | No | No |
| Composer | No | No |
| Conan 1 | No | No |
| Conan 2 | No | No |
| Helm | No | No |
| Debian | No | No |
| Go | No | No |
| Ruby gems | No | No |
Deleting packages
When package requests are forwarded to a public registry, package deletion can cause a dependency confusion vulnerability.
If a system tries to pull a deleted package, the request forwards to the public registry. If a package with the same name and version is in the public registry, that package is pulled instead. The package pulled from the registry might not be what you expect, and could be malicious.
To reduce the associated security risks, before you delete a package:
- Verify the package is not being actively used.
- Disable request forwarding.
To delete packages, you can:
Importing packages from other repositories
You can use GitLab pipelines to import packages from other repositories, such as Maven Central or Artifactory with the package importer tool.
| Package type | Importer available? |
|---|---|
Maven (with mvn) |
Yes |
Maven (with gradle) |
Yes |
Maven (with sbt) |
Yes |
| npm | Yes |
| NuGet | Yes |
| PyPI | Yes |
| Generic packages | No |
| Terraform | No |
| Composer | No |
| Conan 1 | No |
| Conan 2 | No |
| Helm | No |
| Debian | No |
| Go | No |
| Ruby gems | No |
Allow or prevent duplicates
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
By default, the GitLab package registry either allows or prevents duplicates based on the default of that specific package manager format.
| Package type | Duplicates allowed? |
|---|---|
Maven (with mvn) |
Yes (configurable) |
Maven (with gradle) |
Yes (configurable) |
Maven (with sbt) |
Yes (configurable) |
| npm | No |
| NuGet | Yes |
| PyPI | No |
| Generic packages | Yes (configurable) |
| Terraform | No |
| Composer | No |
| Conan 1 | No |
| Conan 2 | No |
| Helm | Yes |
| Debian | Yes |
| Go | No |
| Ruby gems | Yes |
Authenticate with the registry
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Authentication depends on the package manager you're using. To learn what authentication protocols are supported for a specific package type, see Authentication protocols.
For most package types, the following authentication tokens are valid:
The following table lists which authentication tokens are supported for a given package manager:
| Package type | Supported tokens |
|---|---|
Maven (with mvn) |
Personal access, job tokens, deploy (project or group), project access |
Maven (with gradle) |
Personal access, job tokens, deploy (project or group), project access |
Maven (with sbt) |
Personal access, job tokens, deploy (project or group), project access |
| npm | Personal access, job tokens, deploy (project or group), project access |
| NuGet | Personal access, job tokens, deploy (project or group), project access |
| PyPI | Personal access, job tokens, deploy (project or group), project access |
| Generic packages | Personal access, job tokens, deploy (project or group), project access |
| Terraform | Personal access, job tokens, deploy (project or group), project access |
| Composer | Personal access, job tokens, deploy (project or group), project access |
| Conan 1 | Personal access, job tokens, project access |
| Conan 2 | Personal access, job tokens, project access |
| Helm | Personal access, job tokens, deploy (project or group) |
| Debian | Personal access, job tokens, deploy (project or group) |
| Go | Personal access, job tokens, project access |
| Ruby gems | Personal access, job tokens, deploy (project or group) |
When you configure authentication to the package registry:
- If the Package registry project setting is turned off, you receive a
403 Forbiddenerror when you interact with the package registry, even if you have the Owner role. - If external authorization is turned on, you can't access the package registry with a deploy token.
- If your organization uses two-factor authentication (2FA), you must use a personal access token with the scope set to
api. - If you are publishing a package by using CI/CD pipelines, you must use a CI/CD job token.
Authentication protocols
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Version history
- Basic authentication for Maven packages introduced in GitLab 16.0.
The following authentication protocols are supported:
| Package type | Supported auth protocols |
|---|---|
Maven (with mvn) |
Headers, Basic auth |
Maven (with gradle) |
Headers, Basic auth |
Maven (with sbt) |
Basic auth (pulling only) |
| npm | OAuth |
| NuGet | Basic auth |
| PyPI | Basic auth |
| Generic packages | Basic auth |
| Terraform | Token |
| Composer | OAuth |
| Conan 1 | OAuth, Basic auth |
| Conan 2 | OAuth, Basic auth |
| Helm | Basic auth |
| Debian | Basic auth |
| Go | Basic auth |
| Ruby gems | Token |
Supported hash types
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Hash values are used to ensure you are using the correct package. You can view these values in the user interface or with the API.
The package registry supports the following hash types:
| Package type | Supported hashes |
|---|---|
Maven (with mvn) |
MD5, SHA1 |
Maven (with gradle) |
MD5, SHA1 |
Maven (with sbt) |
MD5, SHA1 |
| npm | SHA1 |
| NuGet | not applicable |
| PyPI | MD5, SHA256 |
| Generic packages | SHA256 |
| Composer | not applicable |
| Conan 1 | MD5, SHA1 |
| Conan 2 | MD5, SHA1 |
| Helm | not applicable |
| Debian | MD5, SHA1, SHA256 |
| Go | MD5, SHA1, SHA256 |
| Ruby gems | MD5, SHA1, SHA256 (gemspec only) |