End-of-life packages standard

Using end-of-life packages is a risk to your organization. An end-of-life package by definition will not receive fixes or updates. Any vulnerability or critical bug in an end-of-life package will not be fixed, and you will have to attempt to find a workaround or move to a new package.


By proactively moving away from end-of-life packages, you can reduce your risk before it becomes a critical emergency. With the Tidelift Subscription, you can require the usage of stable releases by using the End-of-life packages standard.

How does Tidelift detect end-of-life packages?

Tidelift researches and pulls information on end-of-life packages from places such as upstream package managers, collection sites such as https://endoflife.date, and foundation sites such as the Apache Attic. Tidelift also performs manual research as needed.

Note: this standard only covers where the package is entirely declared end-of-life. It does not check whether a specific release of an otherwise maintained package is no longer getting updates.


Managing overrides

While it is not recommended practice, you may need to allow something that the end-of-life packages standard has not allowed.

To do so, see Creating Overrides.


Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.

Articles in this section