Glossary of terms

This glossary contains definitions for the services and products that Tidelift offers, as well as the actions people can take to use these services.

Activity feed • noun

An audit log of all changes to a catalog (eg. approved packages, completed tasks).

Alignment • noun

Used to describe projects, a project is aligned with a catalog if all its package releases are approved in the catalog. Can be run one-off or as part of a CI/CD process.

Approve • verb

The act of saying something is okay to use (tasks, licenses, etc.)

Approved • adjective

Something that is okay to use (package release, license, etc.)

Bill of materials • noun

The list of all of the package releases in a repository

Catalog • noun

An approved list of open source package releases that are available within an organization and meets its configured standards. A catalog also includes the denied package releases and notes on why they were denied.

Deny • verb

The act of saying something is not okay (tasks, licenses, etc.)

Denied • adjective

Something that is not okay to use (package release, license, etc.)

Dependency Chain • noun

A list of dependencies linking a transitive dependency to the direct dependency that required it.

Deprecated • adjective

A deprecated package is one whose maintainers have declared that it should not be used because it is planned to be end-of-life at some future point. This declaration can be in the package manager (example) or in project documentation (example).

A package declared as deprecated may also be explicitly End-of-Life, or Unmaintained.

Related terms: maintenance mode

Downstream • noun

The teams/people/packages that consume/rely on the stuff I own

End-of-Life • adjective

An end-of-life package is one whose maintainers have declared that it is no longer maintained. Because it is no longer maintained and will not be updated, end-of-life software should not be used.

An end-of-life release is one whose maintainers have declared that any new fixes and security updates will only happen on a later major or minor release. A user will have to update to a major or minor release that is receiving updates if a security issue or major bug happens.

Fail • verb

Not making it through one of the checks in a series of quality control checks, such as a check for alignment

Ignore • verb

The action taken when a vulnerability does not affect the organization; does not add or remove package releases from the catalog

Import • verb

The act of adding package releases to your catalog from somewhere else.

License template • noun

Pre-defined license standards that could be further customized

Lockfile • noun

A type of package file that lists both direct and transitive dependencies

Maintenance • noun

The work required to keep a specific package usable, such as ongoing development (eg. new features, fixing bugs) and completing secure software development tasks.

A package that receives no maintenance for a long period of time could be considered effectively end-of-life, as maintainers sometimes walk away from maintenance without explicitly declaring their package as unmaintained.

Related terms: maintaining, maintainers

Management • noun

The work required to keep catalogs usable and up to defined standards, such as completing tasks and deciding which package releases should be added or removed. This is the work that we charge for and isn't a free ride.

Related terms: managing, managers

Manifest • noun

A type of package file that lists direct dependencies

Organization • noun

An entity that has a Tidelift Subscription

Package • noun

A single open source component, releases of which can be installed from a package manager. (e.g. pandas)

Related terms: component, dependency, artifact, library, payload

Package file • noun

Contains information about the package releases used in a repository, including the relationships of packages. A repository usually contains two types of package files, a manifest and a lockfile.

Package manager • noun

The ecosystem for a specific language and its respective packages (eg. npm, maven, pypi)

Pass • verb

Making it through one check in a series of quality control checks, such as a check for alignment

Project • noun

A home for the package files/bill of materials for a project, typically connected to a project's repository via CLI, API or GitHub integration

PURL • noun

A package URL. A unique identifier for an application dependency, with a defined, parseable standard. Example: the purl for the 5.0.4 version of the Vite plugin for Vue is:

pkg:npm/@vitejs/plugin-vue@5.0.4

Release / Package release • noun

The combination of a package and specific release of that package (eg. pandas 1.0.0)

Standards • noun

A benchmark that a catalog administrator uses to decide whether a specific package or package release should be included in a catalog. These standards can relate to approved/denied licenses, security, and/or maintenance and are determined at the catalog-level.

Status • noun

Usually used in respect to a package release, whether it is approved or denied in a catalog

Task • noun

An manual review of a violation that needs to be taken by a catalog administrator (Tidelift, a person at a company), to determine whether something should be allowed. Standards can be configured to not create tasks, as reviewing every violation is not recommended behavior.

The Tidelift Subscription • proper noun/service name

The paid service through which an engineering team can experience the benefits of managed open source.

Tidelift web app • proper noun

An application for interfacing with Tidelift from the web.

Tidelift Command Line Interface (CLI) • proper noun

An application for interfacing with Tidelift from the command line.

Upgrade • verb

The action taken to get to a newer release of a package or build; used in security tasks

Upstream • noun

The teams/people that own the stuff I consume/rely on

Use • verb

A generic term meant to indicate the adoption of a specific catalog. There are multiple ways that someone might use a catalog, such as aligning a repository with a catalog, subscribing to updates from another catalog or importing package releases from another catalog.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section