At Tidelift, we want to help organizations solve the problems that keep them up at night.
- What risks are embedded deep inside my organization?
- How will I know that what I’m building on today will be viable for the long term?
- How do I reduce risk before it ends up deployed in my organization?
The Tidelift data APIs consist of the following APIs. (Note: these are available for select customers. Contact your Tidelift support representative for more information).
📝 Full API documentation: https://api.tidelift.com/docs/intelligence/
Package API
Note: The links below will require an active API key. They will return an error message without one.
The packages API can be found at:
https://api.tidelift.com/external-api/v1/packages/<platform>/<package_name>
Example:
https://api.tidelift.com/external-api/v1/packages/npm/qs
This API returns a set of data that includes, at minimum:
- Name
- Platform
- Purl (aka Package URL)
- Tidelift’s recommendation (recommended, not recommended, not assessed)
- A recommended package has at least one release that does not have issues
- Upstream repository
- SPDX-formatted license of latest release
- Release information (all releases and release dates, specific latest and latest stable releases)
- An assessment of the packages on a number of metrics related to security, development practices, and long-term outlook.
For a full description of data returned, see the API documentation.
This API is also available in bulk form, where you can request information on up to 1000 packages at once.
Release API
The releases API can be found at:
https://api.tidelift.com/external-api/v1/packages/<platform>/<package_name>/releases/<version>
Example:
https://api.tidelift.com/external-api/v1/packages/maven/antlr:antlr/releases/2.7.1
This API returns a set of data that includes, at minimum:
- Name
- Platform
- Purl (aka Package URL)
- Upstream repository
- SPDX-formatted license
- Tidelift’s recommendation (recommended, not recommended, not assessed)
- Why Tidelift doesn’t recommend the release, if applicable
Reasons Tidelift do not recommend the release will be shown as “violations”. Example violations could be:
- Release has a vulnerability
- Release is a prerelease
- Package has been deprecated upstream
- Release has issues in its direct or transitive dependencies
For a full description of data returned, see the API documentation.
This API is also available in bulk form, where you can request details on up to 1000 releases at once
Release dependency API
The release dependencies API can be found at:
Example:
https://api.tidelift.com/external-api/v1/packages/npm/isarray/releases/2.0.5/dependencies
This API returns a paginated list of dependencies, that includes:
- Platform
- Name
- Explicit requirement (including any language-specific range or specifiers)
- Scope
For a full description of data returned, see the API documentation.
Vulnerability API
The vulnerability API can be found at:
https://api.tidelift.com/external-api/v1/vulnerabilities/<CVE-ID>
Example:
https://api.tidelift.com/external-api/v1/vulnerabilities/CVE-2021-20066
This API returns a set of data that includes, at minimum:
- The CVE id
- The NIST URL for the vulnerability
- Any additional URL that provides more information
- Description
- Severity (CVSS score)
- Affected packages
- Recommendation for those packages, which can include:
- What to upgrade to, if needed
- If it’s a real issue, or a false positive
- Whether it’s still vulnerable even if the package is only used as a dev/build/test dependency
- Any specific methods that are affected
- Any workarounds that are available
- Recommendation for those packages, which can include:
For a full description of data returned, see the API documentation.
Vulnerability affected releases API
The affected releases API can be found at:
https://api.tidelift.com/external-api/v1/vulnerabilities/<CVE-ID>/affected_releases
Example:
https://api.tidelift.com/external-api/v1/vulnerabilities/CVE-2021-33503/affected_releases
This API returns a paginated list of releases that are affected by the vulnerability, that includes:
- Platform
- Name
- Version
For a full description of data returned, see the API documentation.
Using Tidelift APIs
Rate Limits
For individual APIs (package, release, vulnerability), clients should restrict to a maximum of two API calls per second (120 calls / minute)
For bulk APIs (package, release), clients should restrict to a maximum of one call per minute.
If these limits are insufficient for your use case, please contact us.