What are unknown packages and releases?
Tidelift provides detailed information on open source packages, including vulnerabilities, maintenance statistics, and more.
However, not every dependency you use may be a public open source package.
When the package is not discoverable from a public open source package repository, it is referred to as an unknown package.
When the specific release of a public open source package is not discoverable from a public open source package repository, it is referred to as an unknown release.
Why might a package or release be unknown?
There are a number of reasons an entire package, or an individual release, may be unknown.
- It could be a package, or a version of a package, that you purchased, downloaded, or otherwise acquired from a third party such as a software vendor
- It could be a package, or a version of a package, that you develop internally in your organization
- It could be a malicious package or release that was pulled from public use by the maintainer or by the package manager
Organizations may want to track the use of unknown packages and releases in your projects, to confirm that you are using the software that you intend to use. To do so, enable the Known Packages and Known Releases standards.
By enabling these standards, packages and releases that are not publicly known will be denied. The Known Packages standard will deny any release of a package that is not known to a public repository. The Known Releases standard will deny specific releases of otherwise known packages that are that are not known to a public repository.
You can also configure the standard to create a task to review each unknown package or release. If you are using internally developed software, you would want to review and allow specific unknown packages or releases.
Note that because unknown packages and releases do not have publicly available information, Tidelift does not provide the following information for unknown packages:
- License research
- Security vulnerabilities
- Security vulnerability recommendations
- Maintenance information
- Automatic identification of new releases
Managing overrides
You may want to allow something that the unknown packages standard has not allowed. For example, it could be an internal package maintained by engineers inside your organization.
To do so, see Creating Overrides.