Understanding the difference between data from Libraries.io and The Tidelift Subscription

What is Libraries.io? 

Libraries.io is a free service, maintained and run by Tidelift, that collects publicly available open source package metadata scraped from the internet. With it you can search for open source packages by license, language, or explore new, trending, or popular packages.

What can Libraries.io be used for?

  • For gathering raw, package license and dependency information
  • As a synthesized data stream of scraped information across multiple package managers
  • However, the data is not validated for accuracy and is not ideal for important decision-making purposes

What is The Tidelift Subscription and what can it be used for?

The Tidelift Subscription is a curated source of data and intelligence for millions of open source packages across multiple languages, backed by Tidelift and our maintainer partners, who are paid to ensure their projects follow enterprise-grade secure software development practices, now and into the future. 

The Tidelift Subscription is typically used across the DevOps lifecycle for:

  • Evaluating packages before use on legal, technical, and security dimensions
  • Reviewing tech debt (end of life and other bad packages) and clear actions to take during planning, to create planned work to mitigate it
  • Continuously checking for dependency quality and policy alignment as software work continues — before implementation work, and prior to ops handoff
  • Monitoring the currently-in-prod source code for newly-introduced quality problems
  • And shoring up at-risk packages by working directly with open source maintainers, so less tech debt appears in the future

DevOps-AfterTidelift2.png

Digging in: Libraries.io vs Tidelift 

  Libraries.io Tidelift
Package metadata Read from package and source repository metadata, not validated for accuracy Extensive and human-validated for accuracy 
Paying maintainers to implement secure development practices and provide attestations (examples: 2FA status, security policy, and more) Not included Extensive data about practices and attestations made available only to customers 
License data Read from package metadata, not validated for accuracy Analyzed, and manually validated for accuracy, also including normalized SPDX expression
Dependency insights Limited insights  only, not validated for accuracy Extensive and human-validated for accuracy, and including dependency graph relationships
Vulnerability insights Not included CVE data ingested from multiple sources and mapped to specific versions, plus maintainer CVE reviews for impact, workarounds, and false positive identification
Maintenance status, including deprecation, end-of-life, and package rename insights Not included  Extensive and human-validated for accuracy
Release and usage recommendations Not included Extensive and human-validated for accuracy
API access Limited and rate restricted Robust set of APIs, enterprise support and SLA, and rate customizable
New package(s) assessment SLA   Not included Package assessment SLAs included with Tidelift Subscription

 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section