Using deprecated packages poses a risk to your organization. A deprecated package is one where the maintainer has encouraged people to use other packages instead. Deprecated packages are either no longer actively maintained, or at risk of becoming unmaintained in the future, leaving them more susceptible to security vulnerabilities and other potential issues. With the Tidelift Subscription, you can keep deprecated packages out of your organization's catalog by using the Deprecated standard.
Tidelift is regularly monitoring for package deprecation from the following sources:
- From the package manager - when a maintainer indicates that a package has been deprecated
- Directly from the maintainers and catalog administrators - for instances when deprecation information has not been shared publicly
We will notify you when your team is using or wants to use deprecated packages and help you uphold this standard. We will also display any additional information that a maintainer has provided about the deprecation, which may include recommendations for alternate packages.
How do I keep my team from using deprecated packages?
You can begin creating violations for deprecated packages from the Standards page and turning on the Deprecated standard.
What happens if a package release in my catalog becomes deprecated?
Tidelift is regularly monitoring all packages and will notify you if a package release that you are currently using becomes deprecated. A task will be generated for the catalog administrators to notify them about already-approved releases that violate this standard. For each package, the catalog administrators can resolve the violation by doing one of the following:
- Creating an override for the deprecated package
- Deny all releases of the package
What happens when a newly requested package release is deprecated?
If a developer requests a package that Tidelift knows to be deprecated, the catalog administrators reviewing the request will see that there is a standard violation. The catalog administrators can do any of the following:
- Create an override for the package and approve the release
- Deny the release
Creating overrides for deprecated packages
When a package becomes deprecated or a developer requests a deprecated package, you may still want to create an override for this package release to be approved in your catalog.
Overrides can be created when completing a task and they can apply to an entire package. You can view and export all deprecated package overrides:
- Navigate to the Standards page
- Find the Deprecated standard
- Select Manage overrides
- Click on "Create new overrides" and fill in the appropriate information.
- On this page you can view, edit, and add exceptions