You want to reduce the number of bad packages you have in your applications. Packages become bad, and abandoned all the time because their maintainers move on for several reasons. This scenario is much more likely when packages lack institutional support and funding; these packages are at risk of becoming bad packages and adding to your organizations risk exposure. With Tidelift, you can take steps to reduce the rate of your dependencies getting abandoned or deprecated over time.
Identify which of the packages you use might be at-risk
First, you need to discover what you use that is at-risk. Learn more about how you can evaluate the packages you use with Tidelift's APIs and UI.
To determine the risk levels, look at Tidelift's opinion. There are two categories you should investigate:
Caution advised
A package where caution is advised shows signs of risk, and would be an ideal candidate to reinforce. Learn more about the caution advised recommendation.
Not recommended
A package that is not recommended may be a candidate to reinforce. However, by the time a package is deprecated, end-of-life, or abandoned, it may be too late, which is why it is important to reinforce the software you depend on before it reaches this state. Learn more about not recommended packages.
Once you've researched the status of the software you rely on, it's time to chat with Tidelift.
Contact Tidelift to create a plan
Tidelift performs trend analysis on the software dependencies our customers evaluate and use, and uses that to drive our maintainer recruitment efforts. We are happy to extend this trend analysis to target specific packages where you would like to shore up the risk in your environment.
Contact Tidelift or your customer success manager, and we will work with you to target packages that meet your specific needs. Tidelift can help you analyze:
- Which of your at-risk packages represents the biggest risk (due to blast radius in your infrastructure, history of vulnerabilities, or other factors)
- Which of your at-risk packages provide the best possible return on maintainer recruitment (due to current funding, maintainer support, and more)
We'll then do the outreach for you.
Tracking the success of this initiative
We can create a maintainer impact report based on a list of packages you give us, or SBOMs you have uploaded to our tools, showing how we are preventing packages from “going bad” over time. As we reach out to specific maintainers on your behalf, we'll keep you informed of the benefits the maintainer advantage is bringing to your environment.