Joe Roberts
Products and Technology

What’s New in Posit Package Manager: September 2025

2025-09-12

We’re excited to announce the September 2025 release of Posit Package Manager, bringing you enhanced security, broader platform support, and more granular control over your R and Python packages. This release is packed with features designed to streamline your workflows and bolster your organization’s security posture, whether you’re in life sciences, finance, or the public sector.

 

Seamlessly integrate with Single Sign-On (SSO)

 

 

We’re excited to extend our initial support for authenticated repositories with full SSO authentication via OpenID Connect (OIDC). Many popular Identity Providers support OIDC, including Okta and Microsoft Entra ID (formerly Azure Active Directory). Package Manager Advanced customers can now integrate directly with these systems as a source of users and group authentication.  

Why this is important: No matter what industry you are in, we are simplifying enterprise security and governance while reducing admin overhead.

Users and groups can be mapped to all of Package Manager’s built-in authorization scopes, including:

  • view and install packages from one or more authenticated repositories
  • publishing new packages to a local or Git builder source
  • viewing or managing blocklist rules
  • managing custom metadata
  • full remote system administration

In addition to the ability to login via web browser, we’ve also introduced several client integrations to make it easier for users to manage their SSO credentials with their existing tools including pip and uv for Python package installation, and the Package Manager CLI tool for remote administration and publishing.  

Learn more about getting started with SSO Authentication in our Admin Guide.

 

Expanded support for Arm64 Linux and faster R Package installation

 

This release of Package Manager extends our availability of Posit-built CRAN binary packages to select ARM64 distributions, including our recently-announced manylinux portable packages. ARM-based processors have become increasingly popular as an often cheaper and more energy-efficient alternative to traditional x86 architectures, notably through AWS Graviton instances available on AWS EC2.

Why this is important: You can now leverage modern, cost-efficient cloud infrastructure without sacrificing data scientist productivity.

In this initial release, ARM64 Linux packages are available for Ubuntu 24 (Noble), RHEL 9, RHEL 10, and manylinux 2.28+, built for R versions 4.1 through 4.5. For those not using a currently supported distribution (e.g. Debian) we encourage trying out the manylinux packages as an alternative. We continually evaluate the need to support additional distributions, and encourage providing feedback on the Posit Community forums with any additional requests.

Note that this support is specific to the binary R packages served from Package Manager, but we expect to release full support for running the Package Manager server itself on ARM architectures later this year.

 

New R repository URL format for Linux

 

We’ve added a new repository URL format that supports declaring the full package environment (distribution, architecture, and R version) as part of the repository URL itself.

Why this is important: With a more reliable format, common R configuration errors preventing use of binary packages are reduced, eliminating unnecessary support tickets.

Previously, distribution-specific URLs (e.g., https://ppm-server/cran/__linux__/noble/latest) were used to request binaries for a specific Linux distribution. Package Manager then used the client’s HTTPUserAgent setting to serve binary packages for the correct version of R. However, many users were not properly specifying the HTTPUserAgent option, which resulted in no binary packages being served.

For example, the URL to retrieve binary packages for Ubuntu 24 (Noble), on ARM64 architecture, for R 4.5 would be https://ppm-server/cran/latest/bin/linux/noble-aarch64/4.5. The URL for the x86_64 architecture would be https://ppm-server/cran/latest/bin/linux/noble-x86_64/4.5.

The existing environment auto-detection via user-agent will remain supported, and in many cases may be preferable, especially in environments supporting multiple R versions.

 

Fine-Grained Vulnerability Blocking

 

Since we originally added vulnerability reporting and blocking to Package Manager, a frequent request has been to provide finer-grained control over which vulnerabilities are blocked. In most cases, we still recommend blocking all packages with any known vulnerability, encouraging upgrading to a more updated version as a best practice. However, we now include the ability to set a severity threshold for blocking based on a CVE’s associated Common Vulnerability Scoring System (CVSS) score using the new create blocklist-rule --min-severity=x.y rule.

Why this is important: Blocking packages based on CVE scores allows for more nuanced security policies, particularly in the public sector, where established operating procedures dictate this practice.

This feature is available at Package Manager’s Advanced tier only. Refer to the Package Security section in the Admin Guide for full details.

These updates are designed to help your organization securely and efficiently manage R and Python packages, enabling your data science teams to work in any development environment while avoiding packages with vulnerabilities. For more detail on these and other fixes and enhancements, please see the full release notes.

Tags: Posit Package Manager release