Skip to content

Supported package functionality

The GitLab package registry supports different functionalities for each package type. This support includes publishing and pulling packages, request forwarding, managing duplicates, and authentication.

Publishing packages

DETAILS: Tier: Free, Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

Packages can be published to your project, group, or instance.

Package type Project Group Instance
Maven (with mvn) Y N N
Maven (with gradle) Y N N
Maven (with sbt) N N N
npm Y N N
NuGet Y N N
PyPI Y N N
Generic packages Y N N
Terraform Y N N
Composer N Y N
Conan Y N Y
Helm Y N N
Debian Y N N
Go Y N N
Ruby gems Y N N

Pulling packages

DETAILS: Tier: Free, Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

Packages can be pulled from your project, group, or instance.

Package type Project Group Instance
Maven (with mvn) Y Y Y
Maven (with gradle) Y Y Y
Maven (with sbt) Y Y Y
npm Y Y Y
NuGet Y Y N
PyPI Y Y N
Generic packages Y N N
Terraform N Y N
Composer Y Y N
Conan Y N Y
Helm Y N N
Debian Y N N
Go Y N Y
Ruby gems Y N N

Forwarding requests

DETAILS: Tier: Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

Requests for packages not found in your GitLab project are forwarded to the public registry. For example, Maven Central, npmjs, or PyPI.

Package type Supports request forwarding
Maven (with mvn) Yes (disabled by default)
Maven (with gradle) Yes (disabled by default)
Maven (with sbt) Yes (disabled by default)
npm Yes
NuGet N
PyPI Yes
Generic packages N
Terraform N
Composer N
Conan N
Helm N
Debian N
Go N
Ruby gems N

Deleting packages

When package requests are forwarded to a public registry, deleting packages can be a dependency confusion vulnerability.

If a system tries to pull a deleted package, the request is forwarded to the public registry. If a package with the same name and version is found in the public registry, that package is pulled instead. There is a risk that the package pulled from the registry might not be what is expected, and could even be malicious.

To reduce the associated security risks, before deleting a package you can:

  • Verify the package is not being actively used.
  • Disable request forwarding:
    • Instance administrators can disable forwarding in the Continuous Integration section of the Admin area.
    • Group owners can disable forwarding in the Packages and Registries section of the group settings.

Importing packages from other repositories

You can use GitLab pipelines to import packages from other repositories, such as Maven Central or Artifactory with the package importer tool.

Package type Importer available?
Maven (with mvn) Y
Maven (with gradle) Y
Maven (with sbt) Y
npm Y
NuGet Y
PyPI Y
Generic packages N
Terraform N
Composer N
Conan N
Helm N
Debian N
Go N
Ruby gems N

Allow or prevent duplicates

DETAILS: Tier: Free, Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

By default, the GitLab package registry either allows or prevents duplicates based on the default of that specific package manager format.

Package type Duplicates allowed?
Maven (with mvn) Y (configurable)
Maven (with gradle) Y (configurable)
Maven (with sbt) Y (configurable)
npm N
NuGet Y
PyPI N
Generic packages Y (configurable)
Terraform N
Composer N
Conan N
Helm Y
Debian Y
Go N
Ruby gems Y

Authentication tokens

DETAILS: Tier: Free, Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

GitLab tokens are used to authenticate with the GitLab package registry.

The following tokens are supported:

Package type Supported tokens
Maven (with mvn) Personal access, job tokens, deploy (project or group), project access
Maven (with gradle) Personal access, job tokens, deploy (project or group), project access
Maven (with sbt) Personal access, job tokens, deploy (project or group), project access
npm Personal access, job tokens, deploy (project or group), project access
NuGet Personal access, job tokens, deploy (project or group), project access
PyPI Personal access, job tokens, deploy (project or group), project access
Generic packages Personal access, job tokens, deploy (project or group), project access
Terraform Personal access, job tokens, deploy (project or group), project access
Composer Personal access, job tokens, deploy (project or group), project access
Conan Personal access, job tokens, project access
Helm Personal access, job tokens, deploy (project or group)
Debian Personal access, job tokens, deploy (project or group)
Go Personal access, job tokens, project access
Ruby gems Personal access, job tokens, deploy (project or group)

Authentication protocols

DETAILS: Tier: Free, Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

The following authentication protocols are supported:

Package type Supported auth protocols
Maven (with mvn) Headers, Basic auth
Maven (with gradle) Headers, Basic auth
Maven (with sbt) Basic auth (pulling only) (1)
npm OAuth
NuGet Basic auth
PyPI Basic auth
Generic packages Basic auth
Terraform Token
Composer OAuth
Conan OAuth, Basic auth
Helm Basic auth
Debian Basic auth
Go Basic auth
Ruby gems Token
  1. Basic authentication for Maven packages introduced in GitLab 16.0.

Supported hash types

DETAILS: Tier: Free, Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

Hash values are used to ensure you are using the correct package. You can view these values in the user interface or with the API.

The package registry supports the following hash types:

Package type Supported hashes
Maven (with mvn) MD5, SHA1
Maven (with gradle) MD5, SHA1
Maven (with sbt) MD5, SHA1
npm SHA1
NuGet not applicable
PyPI MD5, SHA256
Generic packages SHA256
Composer not applicable
Conan MD5, SHA1
Helm not applicable
Debian MD5, SHA1, SHA256
Go MD5, SHA1, SHA256
Ruby gems MD5, SHA1, SHA256 (gemspec only)