Overview
The Tidelift VS Code integration helps you achieve a healthy open source software supply chain by monitoring your dependencies for issues like vulnerabilities, packages that are end-of-life, releases that have been removed upstream, and more. As a developer you can see issues in your project before you push code, saving you from tedious changes later in your build process.
This feature is in beta, and currently soliciting developer experience feedback.
Supported ecosystems
Tidelift maintains a list of supported ecosystems here. Currently, the VS Code integration has full support for NPM and Maven. Features such as automatic alignments and package manifest hover diagnostics are not yet supported for other ecosystems.
Key features
- Continuous scanning: Tidelift will monitor and evaluate your project dependencies against the standards set by your organization.
- Timely notifications: If a dependency change introduces new standards violations to your project, Tidelift will let you know so that you can avoid taking on new tech and security debt.
- Helpful categorization: Want to identify and fix certain types of violations like vulnerabilities or end-of-life packages first? The tree view groups information in multiple ways so that you can use the it in a way that’s most helpful to you.
The example above shows expanded details about a deprecated package, path-is-absolute 2.0.0, from the full Tidelift alignment report.
This view shows diagnostic information directly inside package.json, the manifest file for most Javascript projects.
Usage
The Tidelift integration can be accessed at any time from the activity bar. Upon initial configuration and after every dependency change, Tidelift will run an alignment. Alignment results are available through this integration, as is information about specific releases or violations.
If a dependency is introduced or a dependency changes versions and new violations are detected, the editor will notify you and allow you to view the details.
Installation
- Install the Tidelift editor integration from Azure Marketplace
- Get a user API key from the Tidelift app
- Press "CTRL+SHIFT+P" to open the command pallet and run the "Tidelift: Set Tidelift API Key" command.
Configuration
- You can configure the workspace using a ".tidelift" file in the root directory of the workspace. Read more about the .tidelift file.
- If no such file is present, you can also set access the editor integration configuration by running "Tidelift: settings" from the command pallet.
Parameters
- Organization and Catalog are required to run generalized alignment checks against a configured Tidelift catalog.
- Project can optionally be provided to include additional details such as when releases are newly introduced to your project since its last saved alignment.
Security & Privacy
This integration is based on Tidelift CLI and uses it for all interaction with Tidelift services. It does not collect any additional user information beyond what the CLI requires.