Understanding package quality

At Tidelift, we're partnering directly with maintainers (and paying them!) to improve the quality of the open source software packages your team relies on.

For each package there's a quality assurance report page where you and your team can see how a package performs against Tidelift’s quality checks for security, development practices, and long-term outlook. This page has an overall summary for the package, a breakdown of the checks, and a overall recommendation.

Summary

Screenshot 2024-06-20 at 11.11.46 AM.png

Check results

This shows how many checks were successful,, issues, warnings, or unknown.

  • Issue: the package failed this check, which indicates it should not be used
  • Warning: the package failed this check, which indicates a cause for concern
  • Success: the package passed this check
  • Unknown: there wasn't enough information to determine whether the package passes the check

Maintenance status

This provides a summary of the maintenance status of the package, taking into account:

  • whether there is recent activity
  • whether the package is deprecated
  • whether the package is end-of-life
  • whether releases are available upstream

This combines four separate checks into an overall summary of maintenance status.

Tidelift recommendation

The Tidelift recommendation is an overall recommendation of whether a package should be used based on these checks. A not recommended package should be avoided and moved away from if currently in use. A caution advised package should be watched to ensure it does not become not recommended, and may be a good candidate for partnering with Tidelift to pay the maintainers of that package. For more information on this recommendation, see How Tidelift evaluates packages.

Alternative packages

Tidelift and our partnered maintainers research what alternate packages may be available if a package is not recommended. These packages are listed here.

Checks

To navigate to the package quality checks information, navigate to the package page > Quality report > Checks tab

Screenshot 2024-06-20 at 11.14.14 AM.png

Details of the following checks are shown.

No known vulnerabilities on latest release
This check looks for any security vulnerabilities on the latest release of the package. This indicates that the maintainers of this package are resolving vulnerabilities as they are identified.

When the latest release is free from security vulnerabilities, this is an indicator that the package maintainers are working to resolve vulnerabilities that arise. This also means that a release is available to upgrade to that is free of vulnerabilities.

Discoverable security policy
This check looks for a publicly available security policy for the package. A security policy should define the process for how maintainers will handle security issues without exposing said issues publicly before a fix is available.

A security policy means that a process is in place to address and fix security issues as they are discovered.

2FA enabled at source repository
This check indicates that Tidelift has first-party attestation that two-factor authentication practices are being used for source repository access.

Multi-factor authentication provides extra protection from malicious code being added to a package.

2FA enabled for package manager
This check indicates that Tidelift has first-party attestation that two-factor authentication practices are being used for the package manager release process.

Multi-factor authentication provides extra protection from a malicious release being published for a package.

Release managers are reviewed
This check indicates that Tidelift has first-party confirmation that the allowed release managers for a package have been reviewed and verified. This helps ensure that only authorized users can release new versions of a package.

Reviewing the list of users who are allowed to create releases for a package ensures that releases are coming from a trusted user.

Releases are discoverable upstream

This check ensures there are releases available upstream for a given package.

When releases can be downloaded from a public package manager, the risk of getting a release from a malicious source is lowered.

No known issues in dependencies for latest release
This check indicates that the dependencies of the latest release are maintained and have no known vulnerabilities.

A maintainer managing their dependencies and using packages that are free of vulnerabilities increases the likelihood that transitive issues will be taken care of for this package.

Package is not deprecated
This check indicates if the package has been marked as deprecated. Deprecated packages will not receive updates if a vulnerability or other issue is identified.

Deprecated packages are unlikely to receive updates if a vulnerability or other issue is identified.

Package appears maintained
This check indicates if the package appears maintained based on pull request rates, issue close rates, the lifting status of the package, and Tidelift’s research. When a package appears maintained the likelihood that future vulnerabilities will be addressed increases.

A package with activity (responsiveness to PRs and issues) is more likely to have someone available when a vulnerability arises or when dependency management is required.

Package is not end-of-life

This check indicates that the package is not declared end-of-life.

End-of-life packages are not maintained and will not receive updates if a vulnerability or other issue is identified.

Package has a stable release greater than two years old
This check indicates that the package has a stable release that's more than two years old.

A package with an older stable release is more likely to be stable and have continued support than a brand new package that was just released.

OpenSSF Scorecard

OpenSSF Scorecard is a Linux Foundation initiative that performs automated checks on open source projects against a number of criteria. On this tab, you can see the latest scorecard for this package, if it has been published by the scorecard project.

OpenSSF scorecard Each Check shows a status.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section