At Tidelift, we're partnering directly with maintainers (and paying them!) to improve the quality of the open source software packages your team relies on.
For each package there's a quality checks page where you and your team can see how a package performs against Tidelift’s quality checks for security, development practices, and long-term outlook.
No known vulnerabilities on latest release
This check looks for any security vulnerabilities on the latest release of the package. This indicates that the maintainers of this package are resolving vulnerabilities as they are identified.
Discoverable security policy
This check looks for a publicly available security policy for the package. A security policy should define the process for how maintainers will handle security issues without exposing said issues publicly before a fix is available.
2FA enabled at source repository
This check indicates that Tidelift has first-party attestation that two-factor authentication practices are being used for source repository access.
2FA enabled for package manager
This check indicates that Tidelift has first-party attestation that two-factor authentication practices are being used for the package manager release process.
Release managers are reviewed
This check indicates that Tidelift has first-party confirmation that the allowed release managers for a package have been reviewed and verified. This helps ensure that only authorized users can release new versions of a package.
Security vulnerabilities have recommendations
This check confirms that recommendations have been provided for all security vulnerabilities on the package. These recommendations provide clear and actionable mitigation steps.
Package cryptographically signs releases
This check looks for a cryptographic signature on package releases. Signing releases helps ensure that the package is coming from a trusted source and is non-malicious.
Development practices checks
Package has a defined open source license
This check indicates that the package has an open source license. This is important to ensure what the conditions for use and distribution are for the package.
Package has a clean release available
This check indicates that there is at least one release of the package with no known vulnerabilities, and that the latest compatible version of that release's dependencies are maintained and also have no known vulnerabilities.
No known issues in dependencies for latest release
This check indicates that the dependencies of the latest release are maintained and have no known vulnerabilities.
Long-term outlook checks
Package is lifted
This check indicates that Tidelift has a relationship with the maintainer(s) of the package. The maintainer(s) of the package has agreed to maintain the package to Tidelift's standards.
Package is not deprecated
This check indicates if the package has been marked as deprecated. Deprecated packages will not recieve updates if a vulnerability or other issue is identified.
Package appears maintained
This check indicates if the package appears maintained based on pull request rates, issue close rates, the lifting status of the package, and Tidelift’s research. When a package appears maintained the likelihood that future vulnerabilities will be addressed increases.
Package has a stable release greater than two years old
This check indicates that the package has a stable release that's more than two years old. Packages with a history of stable releases are more likely to be supported long-term.
Each Check shows a status of passed, not passed, or no assertion. When a check has the status of no assertion, Tidelift doesn’t have the data necessary to pass or not pass the check.
Article is closed for comments.