Catalog standards

Standards are rules that a catalog administrator can set to help decide whether a specific package or package release should be included in a catalog.

Tidelift notifies you and creates tasks when there are standards violations, taking the guesswork (and legwork) out of catalog management. These standards can relate to licensing, security, and/or maintenance and each standard is determined at the catalog-level.

To see the available standards, including the ones turned on for your organization’s catalog, select Catalog > Standards from the left-side navigation panel.

Current standards enabled by default for all users

• Releases have no vulnerabilities – This standard ensures that every new and approved package release is reviewed for known vulnerabilities.
• Unknown packages must be manually reviewed – This security standard can be configured to keep unknown, and potentially malicious, packages out of your catalog. Tidelift identifies a package as unknown if the package can not be found on a public package manager. If necessary, you can create an exception for this standard.
• Releases use approved licenses – This standard ensures that every new and approved package release only uses a license from your organization’s approved list of licenses. This standard only applies to package where a license has been identified (See "Releases have an identified license" standard below for packages without an identified license).
• Releases have an identified license (should be used with Releases use approved licenses) - This standard ensures that every package in use has a clear license, whether provided directly by the maintainer in SPDX format, cleaned up and confirmed by Tidelift's research and/or license recognition system, or confirmed by someone at your organization. This standard can be configured to ignore unknown packages to avoid task duplication (If a package is unknown, the license cannot be identified).
• Releases must be up to date - This standard ensures that every package in use is the latest release or no more than a set number of years behind the latest release.
• Releases are actively maintained – This standard ensures that deprecated packages are not used by your team.

When in use, these standards are upheld for all package releases that are already approved in your catalog. Tidelift also checks any requests for new package releases for standards violations.