When using Tidelift to evaluate releases, we recommend that you use the Tidelift recommendation. The Tidelift recommendation is a holistic evaluation of the release, and whether it is developed and maintained in a way that would make it a good fit for use in an application.
The recommendation for the release could be either:
- not_recommended: This release has flaws that make it risky to use in your environment
- recommended: This release has no such flaws. If you want to make further determinations, you can look at other data that Tidelift provides for the release.
What makes a release not recommended?
A release is not recommended if it falls into any of these categories:
It was removed from the upstream package manager
A release that was removed from the upstream package manager was removed for a reason. At best, the maintainer decided it wasn’t worth having it published, either due to bugs, or not wanting to maintain it. At worst, it was actively hostile and/or malware, and was pulled by the package manager itself. Releases that have been removed from the package manager should not be used.
Tidelift checks to ensure that any release that has previously existed upstream remains available.
It is for a deprecated package
A package that has been deprecated has been flagged by its maintainer as approaching its end of life, and that other options should be considered. While the maintainer may still choose to make updates, they may also choose not to do so. Deprecated packages should not be brought into new applications, and work should be done to replace them in applications that might be currently using them.
Tidelift tracks packages that have been marked as deprecated by their maintainers directly in their ecosystem, and researches to find packages that have been marked deprecated by other means (such as notes in the documentation.)
It is for an unmaintained package
Unmaintained packages will not be fixed for new bugs, features, or security vulnerabilities. Unmaintained packages are latent risk in your organization. They should not be brought into new development, and work should be done to replace them in applications that might be currently using them.
Tidelift tracks the maintenance activity of packages, and when it reaches a risky point, does an evaluation of the package to see if it is still maintained.
It is a prerelease
A prerelease is a release that its own maintainers have said isn’t ready for primetime. A maintainer denotes a prerelease in a number of ways. A prerelease should not be used, even if a future stable release may be suitable to use.
Tidelift tracks the releases of packages as they are published in the upstream package manager, and checks whether they are prereleases.
It is affected by a vulnerability
Releases with known vulnerabilities should not be used.
Tidelift tracks vulnerabilities as they are announced and maps them to the packages and releases that are affected.
It is more than seven years old
A release that is over seven years old is a poor bet for developing on. A release that is that old is unlikely to be on a maintained version of the package, and the older that it is, the more disruptive upgrading to a supported version may be.
Tidelift tracks the releases of packages as they are made to upstream package managers. Tidelift chose seven years as a match to many corporate software depreciation policies. If you’d like to use a more stringent standard, Tidelift tracks the release date and you can determine your choices based on that.