Compatible languages and package files

The Tidelift Subscription is compatible with open source packages from a variety of ecosystems, and we work with maintainers from all of these ecosystem.

Fully compatible ecosystems:

The following ecosystems and package managers are fully compatible.

  • Java (Maven)
  • JavaScript (npm)
  • Python (PyPI, conda)
  • Swift (Cocoapods)
  • Golang (Go)

Beta compatible ecosystems:

Beta ecosystems are not subject to our full scope of support for paying subscribers.

  • Rust (Cargo)
  • C# (Nuget)
  • Ruby (Rubygems)
  • PHP (Packagist)

What makes an ecosystem fully compatible?

For fully compatible ecosystems, Tidelift will provide:

1. Software bills of materials (SBOMs): We understand and parse project files to create a SBOM of direct and transitive dependencies.

2. Automation: The Tidelift CLI can be used to automate building a SBOM from project files as part of your CI/CD workflow.

3. Security, licensing, and maintenance metadata: Tidelift automatically discovers new packages and releases, and researches vulnerability, licensing, and maintenance data.

4. Maintainers: Tidelift actively works to partner with and pay maintainers for packages in the ecosystem to ensure the viability and security of the software supply chain.

What makes an ecosystem beta compatible?

For beta compatible ecosystems, Tidelift will provide:

1. Software bills of materials (SBOMs): We understand and parse project files to create a SBOM of direct and transitive dependencies.

2. Maintainers: Tidelift may partner with and pay select maintainers for packages in the ecosystem to ensure the viability and security of the software supply chain.

Ecosystem compatibility matrix

Screen_Shot_2023-02-16_at_11.58.31_AM.png

Manifests and lockfiles for compatible ecosystems

Generic (CycloneDX) 

Preferred manifests: cyclonedx.json, cyclonedx.xml


Java (Maven)

Preferred manifests: pom.xml

Preferred lockfiles:

  • gradle-dependencies-q.txt (run gradle dependencies -q > gradle-dependencies-q.txt and upload gradle-dependencies-q.txt with that exact name)
  • maven-resolved-dependencies.txt (run mvn dependency:list -DoutputFile=maven-resolved-dependencies.txt and upload maven-resolved-dependencies.txt with that exact name)
  • sbt-update-full.txt (run sbt 'show updateFull' > sbt-update-full.txt and upload sbt-update-full.txt with that exact name; note that the single quotes around 'show updateFull' are required

Not currently supported: build.gradle (without the accompanying gradle-dependencies-q.txt file), ivy.xml


JavaScript (npm)

Preferred manifests: package.json

Preferred lockfiles: yarn.lock, package-lock.json, npm-shrinkwrap.json


Python (PyPI)

Preferred manifests: 

  • requirements.txt
  • Pipfile
  • pyproject.toml

Preferred lockfiles: Pipfile.lock, poetry.lock

Not currently supported:

  • setup.py
  • req*.txt
  • req*.pip
  • requirements/*.pip

Python (Conda)

Preferred manifests: environment.yml


Golang (go)

Preferred manifests: go.mod


Swift (cocoapods)

Preferred manifests: Podfile, *.podspec

Preferred lockfiles: Podfile.lock


C# (NuGet)

Preferred manifests: *.csproj, project.assets.json

  • For .csproj files, package references need to be made using the "PackageReference" tag, rather than the legacy "Reference" tag. 

Preferred lockfiles: packages.lock.json

Not currently supported:

  • packages.config
  • *.nuspec
  • paket.lock

Ruby (RubyGems)

Preferred manifests: Gemfile

Preferred lockfiles: Gemfile.lock

Not currently supported:

  • *.gemspec
  • gems.rb
  • gems.locked

PHP (Packagist)

Preferred manifests: composer.json


Rust (Cargo)

Preferred manifests: Cargo.toml

Preferred lockfiles: Cargo.lock

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section