Known Packages standard

Tidelift provides detailed information on open source packages, including vulnerabilities, maintenance statistics, and more.

However, not every dependency you use may be a public open source package. You may use internally-developed software as a dependency, or software acquired from a third-party. These packages are referred to as unknown packages. 

You may want to track the use of unknown packages in your projects, to confirm that you are using the software that you intend to use. To do so, enable the Known Packages standard.

By enabling this software, packages that are not publicly known will be denied.

You can also configure the standard to create a task to review each unknown package. If you are using internally developed software, you would want to review and allow specific unknown packages.

Note that ecause unknown packages do not have publicly available information, Tidelift does not provide the following information for unknown packages:

  • License research
  • Security vulnerabilities
  • Security vulnerability recommendations
  • Maintenance information
  • Automatic identification of new releases

Managing overrides

You may want to allow something that the unknown packages standard has not allowed. For example, it could be an internal package maintained by engineers inside your organization.

To do so, see Creating Overrides.


Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.

Articles in this section

See more