Deprecated packages standard

Using deprecated packages poses a risk to your organization. A deprecated package is one where the maintainer has encouraged people to use other packages instead. Deprecated packages are either no longer actively maintained, or at risk of becoming unmaintained in the future, leaving them more susceptible to security vulnerabilities and other potential issues. With the Tidelift Subscription, you can keep deprecated packages out of your organization's catalog by using the Deprecated standard.

image (7).png

Tidelift is regularly monitoring for package deprecation from the following sources:

  • From the package manager - when a maintainer indicates that a package has been deprecated
  • Directly from the maintainers and catalog administrators - for instances when deprecation information has not been shared publicly

We will notify you when your team is using or wants to use deprecated packages and help you uphold this standard. We will also display any additional information that a maintainer has provided about the deprecation, which may include recommendations for alternate packages.

How do I keep my team from using deprecated packages?

You can begin creating violations for deprecated packages from the Standards page and turning on the Deprecated standard.

What happens if a package release in my catalog becomes deprecated?

Tidelift is regularly monitoring all packages and will notify you if a package release that you are currently using becomes deprecated. A task will be generated for the catalog administrators to notify them about already-approved releases that violate this standard. For each package, the catalog administrators can resolve the violation by doing one of the following:

What happens when a newly requested package release is deprecated?

If a developer requests a package that Tidelift knows to be deprecated, the catalog administrators reviewing the request will see that there is a standard violation. The catalog administrators can do any of the following:

  • Create an override for the package and approve the release
  • Deny the release

Managing overrides

While it is not recommended practice, you may need to allow something that the deprecated packages standard has not allowed.

To do so, see Creating Overrides.

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.

Articles in this section

See more