Using deprecated packages poses a risk to your organization. A deprecated package is one where the maintainer has encouraged people to use other packages instead. Deprecated packages are either no longer actively maintained, or at risk of becoming unmaintained in the future, leaving them more susceptible to security vulnerabilities and other potential issues. With the Tidelift Subscription, you can keep deprecated packages out of your organization's catalog by using the Deprecated standard.
Tidelift is regularly monitoring for package deprecation from the following sources:
- From the package manager - when a maintainer indicates that a package has been deprecated
- Directly from the maintainers and catalog administrators - for instances when deprecation information has not been shared publicly
Tidelift will notify you when your team is using or wants to use deprecated packages and help you uphold this standard. Tidelift will also display any additional information that a maintainer has provided about the deprecation, which may include recommendations for alternate packages.
How do I keep my team from using deprecated packages?
You can begin creating violations for deprecated packages from the Standards page and turning on the Deprecated standard.
What happens if a package release in my catalog becomes deprecated?
Tidelift is regularly monitoring all packages and will notify you if a package release that you are currently using becomes deprecated. A task will be generated for the catalog administrators to notify them about already-approved releases that violate this standard. For each package, the catalog administrators can resolve the violation by doing one of the following:
- Creating an override for the deprecated package
- Deny all releases of the package
What happens when a newly requested package release is deprecated?
If a developer requests a package that Tidelift knows to be deprecated, the catalog administrators reviewing the request will see that there is a standard violation. The catalog administrators can do any of the following:
- Create an override for the package and approve the release
- Deny the release
Managing overrides
While it is not recommended practice, you may need to allow something that the deprecated packages standard has not allowed.
To do so, see Creating Overrides.