Product changelog

Watch this space for news of changes and how you can best take advantage of new features in the Tidelift subscription!

Note: for changes to the Tidelift CLI, see https://download.tidelift.com/cli/CHANGELOG.md.

January 2025

• Added Exploit Prediction Scoring System (EPSS) scores and whether a vulnerability is on the CISA Known Exploited catalog to vulnerability information
• Added a "Package has organizational backing" quality check

December 2024

• Removed conda as a supported ecosystem

November 2024

• Added corporate, foundation, variable, and 'none detected' income stream data to package pages
• Added maintainer count to PyPI and npm package pages
• Package security report
• End of life violations now include package renames to give an action of package replacements to developers in the IDE, UI, and APIs
• Enabled ability to use a specific timestamp to check for new package updates in the updates_since endpoint
• Added number of maintainers and income streams to the Package overview page
• Moved vulnerabilities by version stream to the Package vulnerabilities page

October 2024

• Beta VSCode integration
• GitHub Action update to generate full dependency graphs
• Dependency issues view to show issues on the latest release, how the dependencies come into any SBOMs we are tracking, and where we have maintainer insights on CVEs
• Increased reporting interoperability with field normalization across all reports
• Removed a series of legacy reports. Customers should instead use the All projects violations report and the All projects compliance report. The following reports have been removed:
  • Project alignments
  • Known vulnerabilities in projects
  • Prioritized action
  • Catalog standards violations
• Changed the Up to Date standard implementation to allow for violations based on versions behind the latest release
• Added ability to export policy exceptions

September 2024

• Package analysis browser extension
• Added the violation title to the All projects violations report
• Changed the Up to Date standard implementation to allow for absolute and relative timespans
• Enhanced the All projects compliance report to include dependency counts, alignment date, and revision
• Removed the legacy Project Recommendations report. Customers should use the All projects violations report and filter by project.

August 2024

• Added a dashboard to show the impact of paid maintainers on software supply chain security
• Added the ability to download organization-wide All Projects Violations and All Projects Compliance reports

July 2024

• Added vulnerability CVSS scores from GitHub, where available
• Added a new "Known Releases" standard
• Added a beta GitLab Code Quality integration

June 2024

• Redesigned & moved the package "Quality Checks" page to a new package "Quality Report" page
• Added OpenSSF scorecard data to the Quality Report and our package data APIs
• Added a new "End-of-life impact" report, to assess your catalog using Tidelift's End-of-life insights.

May 2024

• Added the ability to ignore false positive vulnerabilities
• Added the ability to download reports in JSON format in addition to TSV
• Added graphs of key metrics to track improvements to the Projects view

April 2024

• Added a new "End-of-life packages" standard that can be used to avoid end-of-life software risk
• APIs which return information about packages or releases that did not include a purl have been updated to do so
• APIs to look up information about packages and releases have been updated to allow querying by purl 
• Added "violation actions", recommendations that help users fix issues discovered in their software

March 2024

• Added "is the package end-of-life" as an additional check to the Tidelift recommendation for packages
• Added the All projects compliance report to see projects' compliance with your organization’s definition of good and bad software releases
• Added the All projects violations report to see all issues in the software releases in use in your organization
• Added the ability to override whole packages under the pre-releases standard, when your business has determined that the package is not a risk
• Added a "manage blocked items" UI to manage what releases have been blocked, regardless of a standard violation
• Added a "blocked items" API to send package releases to Tidelift for blocking based on your internal business logic, and regardless of a standard violation
• Added an "updates since" API for determining what packages have had relevant changes to their release list or evaluation

February 2024

• Added more nuance to the Tidelift recommendation for packages
• Added the Tidelift recommendation for a package to the user interface
• Added whether a package is lifted to Tidelift package intelligence API
• Added remediation advice for vulnerabilities
• Adjusted permissions for the developer role to allow API usage and constrain project visibility

January 2024

• Added support for the 'replace' directive in go.mod to Go manifest handling
• Added more detail on maintainer-verified licenses
• Display and warn when a package has been removed from a package manager

December 2023

• Added upgrade guidance to the prioritized action report
• Added maintainer recommendations for security vulnerabilities

November 2023

• Added a bulk package API to return intelligence on many packages with one API call

October 2023

• Updated version guidance to work using enabled catalog standards
• Added the ability to configure task creation by catalog standard 
• Added a Developer role with limited application access
• Added violation visibility for non-default branches

September 2023

• Customers using SAML for Single Sign On can now pass groups as part of the SAML response to automatically map a user to a role. If you're interested in this, contact support@tidelift.com and we can help you get set up for it.

August 2023

• Added the ability to download CycloneDX bills of materials in JSON format
• Added the ability to set an external identifier for projects that can be used to associate with other systems or tracking
• Added the ability to import SPDX-formatted bills of materials

July 2023

• We have added new APIs that allow assigning manually researched licenses to packages and releases
• Updated CLI to fix an authentication issue with some project keys

June 2023

• We have added new APIs that allow listing, creating, and deleting overrides to standard violations
• We have added new APIs for configuring the "Releases have approved licenses" standard
• Updated REST APIs to only require passing organization name, not organization type

May 2023

• We released a new design of the application to make it easier to find what you're looking for and understand how the data fits together. 
• Projects can be renamed via the project update API
• Native support for Apple Silicon (M1/M2) Macs is now available in the Tidelift CLI

April 2023

• We have released a redesign of the API key pages to make it easier to find and manage the API keys associated with your organization
• We have released a refresh of the quality checks on individual package pages to better highlight relevant checks to your organization by grouping related checks into categories, giving streamlined statuses, and some curation of the checks shown.
• The alignment APIs and CLI now expose information about dependency scopes so that you can use that as information in your CI integration. Read more with examples of how to use this.
• We have an updated status site that allows you to subscribe to receive email notifications when the Tidelift site is having issues.

March 2023

• The bill of materials API now supports getting a bill of materials in additional formats including SPDX and CycloneDX similar to what can be fetched from the web UI. 
• A new report is available to help understand how vulnerabilities are brought into your projects via the Prioritized action report
• Information on Java libraries from the Google Android Maven repository are now available within Tidelift