This glossary contains definitions for the services and products that Tidelift offers, as well as the actions people can take to use these services.
Activity feed • noun
An audit log of all changes to a catalog (eg. approved packages, completed tasks).
Alignment • noun
Used to describe projects, a project is aligned with a catalog if all its package releases are approved in the catalog. Can be run one-off or as part of a CI/CD process.
Approve • verb
The act of saying something is okay to use (tasks, licenses, etc.)
Approved • adjective
Something that is okay to use (package release, license, etc.)
Bill of materials • noun
The list of all of the package releases in a repository
Catalog • noun
An approved list of open source package releases that are available within an organization and meets its configured standards. A catalog also includes the denied package releases and notes on why they were denied.
Deny • verb
The act of saying something is not okay (tasks, licenses, etc.)
Denied • adjective
Something that is not okay to use (package release, license, etc.)
Dependency Chain • noun
A list of dependencies linking a transitive dependency to the direct dependency that required it.
Deprecated • adjective
A deprecated package is one whose maintainers have declared that it should not be used because it is planned to be end-of-life at some future point. This declaration can be in the package manager (example) or in project documentation (example).
A package declared as deprecated may also be explicitly End-of-Life, or Unmaintained.
Related terms: maintenance mode
Downstream • noun
The teams/people/packages that consume/rely on the stuff I own
End-of-Life • adjective
An end-of-life package is one whose maintainers have declared that it is no longer maintained. Because it is no longer maintained and will not be updated, end-of-life software should not be used.
An end-of-life release is one whose maintainers have declared that any new fixes and security updates will only happen on a later major or minor release. A user will have to update to a major or minor release that is receiving updates if a security issue or major bug happens.
Fail • verb
Not making it through one of the checks in a series of quality control checks, such as a check for alignment
Ignore • verb
The action taken when a vulnerability does not affect the organization; does not add or remove package releases from the catalog
Import • verb
The act of adding package releases to your catalog from somewhere else.
License template • noun
Pre-defined license standards that could be further customized
Lockfile • noun
A type of package file that lists both direct and transitive dependencies
Maintenance • noun
The work required to keep a specific package usable, such as ongoing development (eg. new features, fixing bugs) and completing secure software development tasks.
A package that receives no maintenance for a long period of time could be considered effectively end-of-life, as maintainers sometimes walk away from maintenance without explicitly declaring their package as unmaintained.
Related terms: maintaining, maintainers
Management • noun
The work required to keep catalogs usable and up to defined standards, such as completing tasks and deciding which package releases should be added or removed. This is the work that we charge for and isn't a free ride.
Related terms: managing, managers
Manifest • noun
A type of package file that lists direct dependencies
Organization • noun
An entity that has a Tidelift Subscription
Package • noun
A single open source component, releases of which can be installed from a package manager. (e.g. pandas)
Related terms: component, dependency, artifact, library, payload
Package file • noun
Contains information about the package releases used in a repository, including the relationships of packages. A repository usually contains two types of package files, a manifest and a lockfile.
Package manager • noun
The ecosystem for a specific language and its respective packages (eg. npm, maven, pypi)
Pass • verb
Making it through one check in a series of quality control checks, such as a check for alignment
Project • noun
A home for the package files/bill of materials for a project, typically connected to a project's repository via CLI, API or GitHub integration
PURL • noun
A package URL. A unique identifier for an application dependency, with a defined, parseable standard. Example: the purl for the 5.0.4 version of the Vite plugin for Vue is:
pkg:npm/@vitejs/plugin-vue@5.0.4
Release / Package release • noun
The combination of a package and specific release of that package (eg. pandas 1.0.0)
Standards • noun
A benchmark that a catalog administrator uses to decide whether a specific package or package release should be included in a catalog. These standards can relate to approved/denied licenses, security, and/or maintenance and are determined at the catalog-level.
Status • noun
Usually used in respect to a package release, whether it is approved or denied in a catalog
Task • noun
An manual review of a violation that needs to be taken by a catalog administrator (Tidelift, a person at a company), to determine whether something should be allowed. Standards can be configured to not create tasks, as reviewing every violation is not recommended behavior.
The Tidelift Subscription • proper noun/service name
The paid service through which an engineering team can experience the benefits of managed open source.
Tidelift web app • proper noun
An application for interfacing with Tidelift from the web.
Tidelift Command Line Interface (CLI) • proper noun
An application for interfacing with Tidelift from the command line.
Upgrade • verb
The action taken to get to a newer release of a package or build; used in security tasks
Upstream • noun
The teams/people that own the stuff I consume/rely on
Use • verb
A generic term meant to indicate the adoption of a specific catalog. There are multiple ways that someone might use a catalog, such as aligning a repository with a catalog, subscribing to updates from another catalog or importing package releases from another catalog.