Supported package functionality

The GitLab Package Registry supports different functionalities for each package type. This support includes publishing and pulling packages, request forwarding, managing duplicates, and authentication.

Publishing packages

Packages can be published to your project, group, or instance.

Package typeProjectGroupInstance
Maven (with mvn)YNN
Maven (with gradle)YNN
Maven (with sbt)NNN
npmYNN
NuGetYNN
PyPIYNN
Generic packagesYNN
TerraformYNN
ComposerNYN
ConanYNY
HelmYNN
DebianYNN
GoYNN
Ruby gemsYNN

Pulling packages

Packages can be pulled from your project, group, or instance.

Package typeProjectGroupInstance
Maven (with mvn)YYY
Maven (with gradle)YYY
Maven (with sbt)YYY
npmYYY
NuGetYYN
PyPIYYN
Generic packagesYNN
TerraformNYN
ComposerYYN
ConanYNY
HelmYNN
DebianYNN
GoYNY
Ruby gemsYNN

Forwarding requests

Requests for packages not found in your GitLab project are forwarded to the public registry. For example, Maven Central, npmjs, or PyPI.

Package typeSupports request forwarding
Maven (with mvn)Yes (disabled by default)
Maven (with gradle)Yes (disabled by default)
Maven (with sbt)Yes (disabled by default)
npmYes
NuGetN
PyPIYes
Generic packagesN
TerraformN
ComposerN
ConanN
HelmN
DebianN
GoN
Ruby gemsN

Deleting packages

When package requests are forwarded to a public registry, deleting packages can be a dependency confusion vulnerability.

If a system tries to pull a deleted package, the request is forwarded to the public registry. If a package with the same name and version is found in the public registry, that package is pulled instead. There is a risk that the package pulled from the registry might not be what is expected, and could even be malicious.

To reduce the associated security risks, before deleting a package you can:

  • Verify the package is not being actively used.
  • Disable request forwarding:
    • Instance administrators can disable forwarding in the Continuous Integration section of the Admin Area.
    • Group owners can disable forwarding in the Packages and Registries section of the group settings.

Importing packages from other repositories

You can use GitLab pipelines to import packages from other repositories, such as Maven Central or Artifactory with the package importer tool.

Package typeImporter available?
Maven (with mvn)Y
Maven (with gradle)Y
Maven (with sbt)Y
npmY
NuGetY
PyPIY
Generic packagesN
TerraformN
ComposerN
ConanN
HelmN
DebianN
GoN
Ruby gemsN

Allow or prevent duplicates

By default, the GitLab package registry either allows or prevents duplicates based on the default of that specific package manager format.

Package typeDuplicates allowed?
Maven (with mvn)Y (configurable)
Maven (with gradle)Y (configurable)
Maven (with sbt)Y (configurable)
npmN
NuGetY
PyPIN
Generic packagesY (configurable)
TerraformN
ComposerN
ConanN
HelmY
DebianY
GoN
Ruby gemsY

Authentication tokens

GitLab tokens are used to authenticate with the GitLab Package Registry.

The following tokens are supported:

Package typeSupported tokens
Maven (with mvn)Personal access, job tokens, deploy (project or group), project access
Maven (with gradle)Personal access, job tokens, deploy (project or group), project access
Maven (with sbt)Personal access, job tokens, deploy (project or group), project access
npmPersonal access, job tokens, deploy (project or group), project access
NuGetPersonal access, job tokens, deploy (project or group), project access
PyPIPersonal access, job tokens, deploy (project or group), project access
Generic packagesPersonal access, job tokens, deploy (project or group), project access
TerraformPersonal access, job tokens, deploy (project or group), project access
ComposerPersonal access, job tokens, deploy (project or group), project access
ConanPersonal access, job tokens, project access
HelmPersonal access, job tokens, deploy (project or group)
DebianPersonal access, job tokens, deploy (project or group)
GoPersonal access, job tokens, project access
Ruby gemsPersonal access, job tokens, deploy (project or group)

Authentication protocols

The following authentication protocols are supported:

Package typeSupported auth protocols
Maven (with mvn)Headers, Basic auth (pulling only) (1)
Maven (with gradle)Headers, Basic auth (pulling only) (1)
Maven (with sbt)Basic auth (1)
npmOAuth
NuGetBasic auth
PyPIBasic auth
Generic packagesBasic auth
TerraformToken
ComposerOAuth
ConanOAuth, Basic auth
HelmBasic auth
DebianBasic auth
GoBasic auth
Ruby gemsToken
  1. Basic authentication for Maven packages introduced in GitLab 16.0.

Supported hash types

Hash values are used to ensure you are using the correct package. You can view these values in the user interface or with the API.

The Package Registry supports the following hash types:

Package typeSupported hashes
Maven (with mvn)MD5, SHA1
Maven (with gradle)MD5, SHA1
Maven (with sbt)MD5, SHA1
npmSHA1
NuGetnot applicable
PyPIMD5, SHA256
Generic packagesSHA256
Composernot applicable
ConanMD5, SHA1
Helmnot applicable
DebianMD5, SHA1, SHA256
GoMD5, SHA1, SHA256
Ruby gemsMD5, SHA1, SHA256 (gemspec only)