For every package that Tidelift is aware of from upstream package managers, a package page is available in the Tidelift application. A package page shows all of the information that Tidelift has consolidated about this package from our sources, and any potential Tidelift recommendation for the package. Internal packages will also have a package page generated, however the information is much more limited.
Overview
The overview tab on the package page provides a high level summary of the package, containing information such as:
- what the package is
- what license is attributed to it
- how many people contribute to the package
- and a summary of how you are currently using the package
For each section mentioned in the above bulleted list, there are more details provided. There are also links available to source material for this package if you need more technical details about the package.
On the package page, you may also see whether a package is lifted.
Lifted packages
When you see the image below on a package page, this indicates that Tidelift has a contractual relationship with the maintainer of these packages. We call such packages "lifted". A lifted package comes with additional commitments from the package maintainer.
Quality report
The Quality report tab provides information about a package's quality. There are three sub tabs on this page:
- Summary: This sub-tab provides a high-level overview of the package's quality attributes, the Tidelift recommendation for the package, and if there are any alternative packages for this package.
- Checks: This sub-tab provides additional details about the package's quality checks.
- OpenSSF Scorecard: This sub-tab provides information about the package's OpenSSF scorecard.
For more details, see Quality assurance report.
Releases
The Releases tab lists every publicly available release of the given package. A release can be requested from this tab, and the decisions made about each release are also displayed here. Details for each decision can also be seen here by clicking on the status badge under the Catalog status column.
This list of releases can be used by developers to understand what versions of a package are allowed by the organization, or identify what issues need to be mitigated from a particular version.
Vulnerabilities
The Vulnerabilities tab of the package page lists all of the CVEs that Tidelift has mapped to this package. The data presented in this table will provide some high level data for each vulnerability. Clicking the CVE number will take you to a vulnerabilities page with additional detail and context about how you may be impacted by the vulnerability.
Dependencies
Many open source packages rely on additional packages, and these can come with their own risks and concerns. The Dependencies tab of the package page helps to surface these issues faster when researching a package. Tidelift displays a list of all other open source packages that each version of a specific open source package relies on, including information such as what license those packages use, and any detected vulnerabilities. The page also indicates if there are additional transitive dependencies that may need to be investigated.
Attestation data
There are many fields that may be of use when evaluating a package, and many regulations are emerging to require attesting to certain practices and assurances for open source packages. The Attestation data tab serves those needs, whether you're looking for a one stop shop for data about a package, or a machine readable document to adhere to regulations, this tab can help.
Project usage
The Project usage tab of the package page provides a unified view of where a given package is being used within your organization. This list can be filtered by release and status to quickly identify your applications that are using versions that violate the organization's standards.