Understanding package details in the Tidelift UI

For every package that Tidelift is aware of from upstream package managers, a package page is available in the Tidelift application. A package page shows all of the information that Tidelift has consolidated about this package from our sources, and any potential Tidelift recommendation for the package.. Internal packages will also have a package page generated, however the information is much more limited. 


Screenshot from 2024-03-07 17-43-31.png

The overview tab on the package page provides a high level summary of the package, containing information such as: 

  • what the package is
  • what Tidelift's recommendation for the package is
  • what license is attributed to it
  • how many people contribute to the package
  • and a summary of how you are currently using the package

For each section mentioned in the above bulleted list, there are more details provided. There are also links available to source material for this package if you need more technical details about the package. 

Clicking on the Tidelift recommendation ("Not recommended" in the above screenshot) will give you details on why the package may not be recommended. This could be because it is deprecated, because it has been renamed, or because it is end-of-life. For more details, see How Tidelift evaluates packages.

On the package page, you may also see whether a package is lifted .

Lifted packages 

When you see the image below on a package page, this indicates that Tidelift has a contractual relationship with the maintainer of these packages. We call such packages "lifted". A lifted package comes with additional commitments from the package maintainer. 


The Releases tab lists every publicly available release of the given package. A release can be requested from this tab, and the decisions made about each release are also displayed here. Details for each decision can also be seen here by clicking on the status badge under the Catalog status column. For more information about standards and violations see catalog standards

This list of releases can be used by developers to understand what versions of a package are allowed by the organization, or identify what issues need to be mitigated from a particular version. 


The Vulnerabilities tab of the package page lists all of the CVEs that Tidelift has mapped to this package. The data presented in this table will provide some high level data for each vulnerability. Clicking the CVE number will take you to a vulnerabilities page with additional detail and context about how you may be impacted by the vulnerability. 


Many open source packages rely on additional packages, and these can come with their own risks and concerns. The Dependencies tab of the package page helps to surface these issues faster when researching a package. Tidelift displays a list of all other open source packages that each version of a specific open source package relies on, including information such as what license those packages use, and any detected vulnerabilities. The page also indicates if there are additional transitive dependencies that may need to be investigated. 

Attestation data 

There are many fields that may be of use when evaluating a package, and many regulations are emerging to require attesting to certain practices and assurances for open source packages. The Attestation data tab serves those needs, whether you're looking for a one stop shop for data about a package, or a machine readable document to adhere to regulations, this tab can help. 

Project usage 

The Project usage tab of the package page provides a unified view of where a given package is being used within your organization. This list can be filtered by release and status to quickly identify your applications that are using versions that violate the organization's standards. 

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.

Articles in this section