The Tidelift Subscription is compatible with open source packages from a variety of ecosystems, and we work with maintainers from all of these ecosystem.
Fully compatible ecosystems:
The following ecosystems and package managers are fully compatible.
- Java (Maven)
- JavaScript (npm)
- Python (PyPI, conda)
- Swift (Cocoapods)
- Golang (Go)
Beta compatible ecosystems:
Beta ecosystems are not subject to our full scope of support for paying subscribers.
- Rust (Cargo)
- C# (Nuget)
- Ruby (Rubygems)
- PHP (Packagist)
What makes an ecosystem fully compatible?
For fully compatible ecosystems, Tidelift will provide:
1. Software bills of materials (SBOMs): We understand and parse project files to create a SBOM of direct and transitive dependencies.
2. Automation: The Tidelift CLI can be used to automate building a SBOM from project files as part of your CI/CD workflow.
3. Security, licensing, and maintenance metadata: Tidelift automatically discovers new packages and releases, and researches vulnerability, licensing, and maintenance data.
4. Maintainers: Tidelift actively works to partner with and pay maintainers for packages in the ecosystem to ensure the viability and security of the software supply chain.
What makes an ecosystem beta compatible?
For beta compatible ecosystems, Tidelift will provide:
1. Software bills of materials (SBOMs): We understand and parse project files to create a SBOM of direct and transitive dependencies.
2. Maintainers: Tidelift may partner with and pay select maintainers for packages in the ecosystem to ensure the viability and security of the software supply chain.
Ecosystem compatibility matrix
Manifests and lockfiles for compatible ecosystems
Generic (CycloneDX)
Preferred manifests: cyclonedx.json, cyclonedx.xml
Java (Maven)
Preferred manifests: pom.xml
Preferred lockfiles:
- gradle-dependencies-q.txt (run gradle dependencies -q > gradle-dependencies-q.txt and upload gradle-dependencies-q.txt with that exact name)
- maven-resolved-dependencies.txt (run mvn dependency:list -DoutputFile=maven-resolved-dependencies.txt and upload maven-resolved-dependencies.txt with that exact name)
- sbt-update-full.txt (run sbt 'show updateFull' > sbt-update-full.txt and upload sbt-update-full.txt with that exact name; note that the single quotes around 'show updateFull' are required
Not currently supported: build.gradle (without the accompanying gradle-dependencies-q.txt file), ivy.xml
JavaScript (npm)
Preferred manifests: package.json
Preferred lockfiles: yarn.lock, package-lock.json, npm-shrinkwrap.json
Python (PyPI)
Preferred manifests:
- requirements.txt
- Pipfile
- pyproject.toml
Preferred lockfiles: Pipfile.lock, poetry.lock
Not currently supported:
- setup.py
- req*.txt
- req*.pip
- requirements/*.pip
Python (Conda)
Preferred manifests: environment.yml
Golang (go)
Preferred manifests: go.mod
Swift (cocoapods)
Preferred manifests: Podfile, *.podspec
Preferred lockfiles: Podfile.lock
C# (NuGet)
Preferred manifests: *.csproj, project.assets.json
- For .csproj files, package references need to be made using the "PackageReference" tag, rather than the legacy "Reference" tag.
Preferred lockfiles: packages.lock.json
Not currently supported:
- packages.config
- *.nuspec
- paket.lock
Ruby (RubyGems)
Preferred manifests: Gemfile
Preferred lockfiles: Gemfile.lock
Not currently supported:
- *.gemspec
- gems.rb
- gems.locked
PHP (Packagist)
Preferred manifests: composer.json
Rust (Cargo)
Preferred manifests: Cargo.toml
Preferred lockfiles: Cargo.lock
Comments
Article is closed for comments.