Supported ecosystems

The Tidelift Subscription is compatible with open source packages from a variety of ecosystems, and we work with maintainers from all of these ecosystems.

Supported ecosystems:

The following ecosystems and package managers are supported as part of the Tidelift subscription.

  • Java (Maven)
  • JavaScript (npm)
  • Python (PyPI, conda)
  • Swift (Cocoapods)
  • Golang (Go)
  • Rust (Cargo)
  • C# (Nuget)
  • Ruby (Rubygems)

What does Tidelift provide when supporting an ecosystem?

1. Maintainers: Tidelift actively works to partner with and pay maintainers for packages in the ecosystem to ensure the viability and security of the software supply chain. Tidelift recruits new maintainers in the ecosystem based on customer usage and inquriy.

2. Security, licensing, and maintenance metadata: Tidelift automatically discovers new packages and releases, and researches vulnerability, licensing, and maintenance data.

3. Software bills of materials (SBOMs): We understand and parse project files and can create a SBOM of direct and transitive dependencies.

Manifests and lockfiles for compatible ecosystems

Generic (CycloneDX) 

Preferred manifests: cyclonedx.json, cyclonedx.xml

Java (Maven)

Preferred manifests: pom.xml

Preferred lockfiles:

  • gradle-dependencies-q.txt (run gradle dependencies -q > gradle-dependencies-q.txt and upload gradle-dependencies-q.txt with that exact name)
  • maven-resolved-dependencies.txt (run mvn dependency:list -DoutputFile=maven-resolved-dependencies.txt and upload maven-resolved-dependencies.txt with that exact name)
  • sbt-update-full.txt (run sbt 'show updateFull' > sbt-update-full.txt and upload sbt-update-full.txt with that exact name; note that the single quotes around 'show updateFull' are required

Not currently supported: build.gradle (without the accompanying gradle-dependencies-q.txt file), ivy.xml

JavaScript (npm)

Preferred manifests: package.json

Preferred lockfiles: yarn.lock, package-lock.json, npm-shrinkwrap.json

Python (PyPI)

Preferred manifests: 

  • requirements.txt
  • Pipfile
  • pyproject.toml

Preferred lockfiles: Pipfile.lock, poetry.lock

Not currently supported:

  • req*.txt
  • req*.pip
  • requirements/*.pip

Python (Conda)

Preferred manifests: environment.yml

Golang (go)

Preferred manifests: go.mod

Swift (cocoapods)

Preferred manifests: Podfile, *.podspec

Preferred lockfiles: Podfile.lock

C# (NuGet)

Preferred manifests: *.csproj, project.assets.json

  • For .csproj files, package references need to be made using the "PackageReference" tag, rather than the legacy "Reference" tag. 

Preferred lockfiles: packages.lock.json

Not currently supported:

  • packages.config
  • *.nuspec
  • paket.lock

Ruby (RubyGems)

Preferred manifests: Gemfile

Preferred lockfiles: Gemfile.lock

Not currently supported:

  • *.gemspec
  • gems.rb
  • gems.locked

Rust (Cargo)

Preferred manifests: Cargo.toml

Preferred lockfiles: Cargo.lock

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.

Articles in this section

See more