Violation actions (Beta)

Avoiding violations can be challenging. Dependency chains are complicated and manually sifting through release requirements to identify updates that are both compatible and violation-free is incredibly time consuming. Luckily, Tidelift makes this easier with violation actions.

Violation actions relieve developers from the burden of analyzing dependency chains and provide simple guidance on how to avoid a particular violation. Violation actions can be found on a project’s alignment page.

violation-actions.png

How violation actions work

For each violation found in your alignment, Tidelift analyzes the dependency chain and the release requirements for each package in the chain. It then looks at all potential variations of the dependency chain to find the smallest action you can take to avoid a violation.

Example

Imagine your project relies on astral_adapter:1.0.0 which has the following dependency chain and release requirements.

Dependency chain

astral_adapter:1.0.0 (direct dependency)
└ bionic_builder:1.0.0
  └ cosmic_cybercore:1.0.0 (⚠️ violation)
    └ dimensional_downloader:1.0.0

Release requirements

astral_adapter:1.0.0 requires bionic_builder >= 1.0.0
bionic_builder:1.0.0 requires cosmic_cybercore = 1.0.0
cosmic_cybercore:1.0.0 requires dimensional_downloader >= 1.0.0

Scenario

As you run an alignment, Tidelift detects a violation with cosmic_cybercore:1.0.0 a transitive dependency of astral_adapter:1.0.0 . The violation is fixed in cosmic_cybercore:2.0.0.

Unfortunately you can’t simply update cosmic_cybercore to 2.0.0 because bionic_builder:1.0.0 only allows cosmic_cybercore:1.0.0 in its requirements.

In this situation, Tidelift would look at all of the potential updates within this dependency chain to determine the smallest change the meets the release requirements and avoids the violation.

Resulting violation action

As Tidelift does its analysis, it finds that bionic_builder:2.0.0 is available and requires cosmic_cybercore:2.0.0. and the release requirements for cosmic_cybercore:2.0.0 haven’t changed from cosmic_cybercore:1.0.0.

This means the violation action to take is to update the transitive dependency bionic_builder from 1.0.0 to 2.0.0 .

Supported platforms

Violation actions are currently supported for CycloneDX SBOMs and for the following package managers:

  • npm
  • gradle
  • maven
  • nuget
  • yarn

Limitations

Violation actions currently have a few limitations:

  • Actions will avoid the violation found during alignment, but could introduce a different violation when the next alignment occurs.
  • Actions do not attempt to optimize for any semantic versioning rules in order to minimize breaking changes.

Feedback

Violation actions is a beta feature and your feedback plays an important role in helping us improve the product. As you try this feature, please use the feedback form found in the actions section to tell us where we can improve.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section