Note: If you are using Tidelift's catalog features, please see Setting standards for your catalog.
Sometimes it's right to ignore errors flagged by the dependency checker, rather than fixing them. This can be done by placing a .tidelift.yml
file in the root of your repository on GitHub or including it when uploading dependency files for a scan.
Configuration is by type of test, where a test refers to a kind of error the dependency checker can generate. By default, tests apply to all files that list dependencies.
The test types are:
removed
- package doesn't seem to exist anymoredeprecated
- package is marked deprecatedunmaintained
- package appears to be unmaintainedvulnerable
- package release appears to have a security vulnerabilityunlicensed
- package is confirmed to have no licensemissing_license
- package lacks a machine-readable licensenon_spdx_license
- package license is not in SPDX formatlicense_prohibited
- package release license is prohibited by settings in licensing sectioninactive_stream
- package release is on a version that is marked as inactivenot_in_catalog
- package release is not available for use at your organization
Tests can be set to three modes:
skip
- ignore the testwarn
- failures generate a warning but don't set failing status on pull requestsfail
- failures generate an error and set failing status on pull request
('unmaintained' and 'inactive_stream' types cause warnings while the rest are fatal errors.)
tidelift.yml recipes
To globally skip a certain type of test, use a snippet like this (this disables the 'removed' test globally):
# don't run removed test on any dependencies tests: removed: skip
To change the 'removed' test to a warning instead of an error, you'd do this:
# make removed test a warning rather than an error, globally tests: removed: warn<br>
Licensing
To provide a list of allowed licenses, or to disallow specific licenses, list those licenses in the 'licensing:' section.
Only one of 'allowed:' or 'disallowed:' can be used. If you have an 'allowed:' section, the 'disallowed:' section will be ignored.
Each item in the list should be an SPDX identifier. See the list at https://spdx.org/licenses/.
Example: Allow ONLY 0BSD, AAL, Abstyles and Adobe-2006, any license not one of these will fail the build.
licensing: allowed: - 0BSD - AAL - Abstyles - Adobe-2006<br>
Example: Disallow a selection of licenses (0BSD, AAL, Abstyles and Adobe-2006), any of these will fail the build.
licensing: disallowed: - 0BSD - AAL - Abstyles - Adobe-2006
(examples chosen alphabetically from SPDX, Tidelift imposes no opinion on which licenses you should use)
To allow an exception for a specific package's license, while still allowing that license to fail everywhere else, add an exception like this:
licensing: disallowed: - 0BSD exceptions: - name: thing platform: rubygems tests: - license_prohibited
Note: Some licenses have multiple variants. Be sure to list all variants shown on the SPDX list, including their list of deprecated identifiers.
For example, to disallow all forms of Affero GPL, you would need to list these variants:
licensing: disallowed: - AGPL-1.0-only - AGPL-1.0-or-later - AGPL-3.0-only - AGPL-3.0-or-later - AGPL-1.0 - AGPL-3.0
Comments
Article is closed for comments.