The Tidelift Subscription is compatible with open source packages from a variety of ecosystems, and we work with maintainers from all of these ecosystems.
Supported ecosystems:
The following ecosystems and package managers are supported as part of the Tidelift subscription.
- Java (Maven)
- JavaScript (npm)
- Python (PyPI)
- Swift (Cocoapods)*
- Golang (Go)
- Rust (Cargo)
- C# (Nuget)
- Ruby (Rubygems)
What does Tidelift provide when supporting an ecosystem?
1. Maintainers: Tidelift actively works to partner with and pay maintainers for packages in the ecosystem to ensure the viability and security of the software supply chain. Partnered maintainers commit to continued maintenance, upholding secure development practices, and providing insights into vulnerabilities that affect their packages. Tidelift recruits new maintainers in the ecosystem based on customer usage and inquiry.
2. Security, licensing, and maintenance metadata: Tidelift automatically discovers new packages and releases, and researches vulnerability, licensing, and maintenance data from packages published on the main open source repositories for that ecosystem.
3. Software bills of materials (SBOMs): We understand and parse project files and can create a SBOM of direct and transitive dependencies.
*Tidelift currently has data and maintainer partnership limitations on Swift packages
Details of compatible ecosystems
| Ecosystem | Package manager | Package repository | Manifest file names | Lock file names |
|---|---|---|---|---|
| Generic SBOM | N/A | N/A |
cyclonedx.xml cyclonedx.json *.spdx |
N/A |
| Java | Maven | Maven Central | pom.xml | |
| Java | Gradle | Maven Central | build.gradle | |
| JavaScript | NPM | NPM | package.json |
package-lock.json npm-shrinkwrap.json |
| JavaScript | Yarn | NPM | package.json | yarn.lock |
| Python | pip | PyPI | requirements.txt | |
| Python | pipenv | PyPI | Pipfile | Pipfile.lock |
| Python | poetry | PyPI | pyproject.toml | poetry.lock |
| Golang | go | pkg.go.dev | go.mod | |
| Swift | cocoapods | Cocoapods |
Podfile *.podspec |
Podfile.lock |
| C# | NuGet | NuGet Gallery |
*.csproj project.assets.json packages.config |
packages.lock.json |
| Ruby | Rubygems | Rubygems |
Gemfile |
Gemfile.lock |
| Rust | Cargo | Crates.io |
Cargo.toml |
Cargo.lock |
Looking for an ecosystem not listed here?
If you need basic information such as:
- Package names
- Available releases and their release dates
- Available metadata from the package manager
for an ecosystem not listed here, feel free to browse libraries.io, an open source project sponsored by Tidelift. Read more about the difference between data from libraries.io and The Tidelift Subscription.
If you need detailed information on an ecosystem, such as:
- Partnerships with maintainers for continued maintenance and upkeep of their software
- Vulnerability information, including assessment and workarounds directly from maintainers
- Assessment against a variety of security and maintenance standards
- Validated license information
we'd like to talk to you! Contact Tidelift today.