At Tidelift, we're partnering directly with maintainers (and paying them!) to improve the quality of the open source software packages your team relies on.
Of course our data is available to subscribers via API, but in addition for each package there's a quality assurance report page where you and your team can see how a package performs against Tidelift’s quality checks for security, development practices, and long-term outlook. This page has an overall summary for the package, a breakdown of the checks, and a overall recommendation.
Summary
Check results
This shows how many checks were successful, issues, warnings, or unknown.
- Issue: the package failed this check, which indicates it should not be used
- Warning: the package failed this check, which indicates a cause for concern
- Success: the package passed this check
- Unknown: there wasn't enough information to determine whether the package passes the check
Maintenance status
This provides a summary of the maintenance status of the package, taking into account:
- whether there is recent activity
- whether the package is deprecated
- whether the package is end-of-life
- whether releases are available upstream
This combines four separate checks into an overall summary of maintenance status.
Tidelift recommendation
The Tidelift recommendation is an overall recommendation of whether a package should be used based on these checks. A not recommended package should be avoided and moved away from if currently in use. A caution advised package should be watched to ensure it does not become not recommended, and may be a good candidate for partnering with Tidelift to pay the maintainers of that package. For more information on this recommendation, see How Tidelift evaluates packages.
Alternative packages
To help you select the best dependencies for your projects, Tidelift and our partnered maintainers identify opportunities where a recommended alternative package exists. Recommended alternatives offer similar functionality to their peers while meeting the highest standards for maintenance, development practices, and security. Choosing a recommended package can significantly reduce long-term costs associated with managing your dependencies because recommended packages are funded to address security vulnerabilities and uphold secure, enterprise-ready development practices.
Checks
Details of the following checks are shown.
No known vulnerabilities on latest release
This check looks for any security vulnerabilities on the latest release of the package. This indicates that the maintainers of this package are resolving vulnerabilities as they are identified.
When the latest release is free from security vulnerabilities, this is an indicator that the package maintainers are working to resolve vulnerabilities that arise. This also means that a release is available to upgrade to that is free of vulnerabilities.
Discoverable security policy
This check looks for a publicly available security policy for the package. A security policy should define the process for how maintainers will handle security issues without exposing said issues publicly before a fix is available.
A security policy means that a process is in place to address and fix security issues as they are discovered.
2FA enabled at source repository
This check indicates that Tidelift has first-party attestation that two-factor authentication practices are being used for source repository access.
Multi-factor authentication provides extra protection from malicious code being added to a package.
2FA enabled for package manager
This check indicates that Tidelift has first-party attestation that two-factor authentication practices are being used for the package manager release process.
Multi-factor authentication provides extra protection from a malicious release being published for a package.
Release managers are reviewed
This check indicates that Tidelift has first-party confirmation that the allowed release managers for a package have been reviewed and verified. This helps ensure that only authorized users can release new versions of a package.
Reviewing the list of users who are allowed to create releases for a package ensures that releases are coming from a trusted user.
Releases are discoverable upstream
This check ensures there are releases available upstream for a given package.
When releases can be downloaded from a public package manager, the risk of getting a release from a malicious source is lowered.
No known issues in dependencies for latest release
This check indicates that the dependencies of the latest release are maintained and have no known vulnerabilities.
A maintainer managing their dependencies and using packages that are free of vulnerabilities increases the likelihood that transitive issues will be taken care of for this package.
Package has multiple active maintainers
This check indicates that the package has multiple active maintainers maintaining it.
Packages with multiple active maintainers are at less risk of abandonment, and are better choices to use in your applications.
One facet of this check is a package's number of contributors. When evaluating this facet, a package which has fewer than two contributors in the past year, or fewer than five contributors overall are also considered at risk.
Package is not deprecated
This check indicates if the package has been marked as deprecated. Deprecated packages will not receive updates if a vulnerability or other issue is identified.
Deprecated packages are unlikely to receive updates if a vulnerability or other issue is identified.
Package appears maintained
This check indicates if the package appears maintained based on pull request rates, issue close rates, the lifting status of the package, and Tidelift’s research. When a package appears maintained the likelihood that future vulnerabilities will be addressed increases.
A package with activity (responsiveness to PRs and issues) is more likely to have someone available when a vulnerability arises or when dependency management is required.
Package is not end-of-life
This check indicates that the package is not declared end-of-life.
End-of-life packages are not maintained and will not receive updates if a vulnerability or other issue is identified.
Package has a stable release greater than two years old
This check indicates that the package has a stable release that's more than two years old.
A package with an older stable release is more likely to be stable and have continued support than a brand new package that was just released.
OpenSSF Scorecard
OpenSSF Scorecard is a Linux Foundation initiative that performs automated checks on open source projects against a number of criteria. On this tab, you can see the latest scorecard for this package, if it has been published by the scorecard project.
Each Check shows a status.