Introduction to catalog standards

Catalog standards are rules or policies that can be configured using the Tidelift UI to actively monitor open source packages in use and to identify and eliminate potentially bad packages already adopted.  

In instances where "Auto status" is enabled, the package or the version is automatically denied for use, thus flagging it to the appropriate stakeholder to migrate away from. In instances where "create a task" is enabled, Tidelift generates a notification and creates a task to review the violation. The user can then choose to keep or override the decision made by Tidelift. 

To see the available standards, including the ones turned on for your organization’s catalog, select Catalog > Standards from the left-side navigation panel.

Current standards enabled by default for all users

    • Vulnerabilities – Releases with vulnerabilities will be blocked according to your configurations.
    • Known packages – Package is known by the ecosystem's package manager. Avoid unknown and potentially malicious packages in your catalog.
    • Allowed licensesChoose which software licenses are allowed in your catalog.
    • Identified licenses (should be used with Allowed licenses) - Releases have a valid machine-readable license expression.
    • Up to date - Outdated releases with newer options available will be blocked.
    • DeprecatedPackages determined to be deprecated will be denied.
    • End-of-life packagesPackages determined to be end-of-life will be denied.

When in use, these standards are upheld for all package releases that are already approved in your catalog. Tidelift also checks any requests for new package releases for standards violations.

Other standards available to implement 

    • Pre-releases - Beta or release candidate versions will be denied.
    • Removed releases - Releases that have been removed upstream will be denied. 
Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.

Articles in this section

See more