Up-to-date releases standard

Using outdated package releases is a risk to your organization. Like deprecated packages, older releases are less likely to be patched. While the package itself may still be actively maintained, older releases usually have security vulnerabilities and other potentially harmful issues.

How can Tidelift help?

The longer your organization waits to update to a newer release, the harder it may become as more changes are made to the package. With the Tidelift Subscription, you can keep outdated package releases out of your organization's catalog by using the Up to date standard. Tidelift is regularly monitoring for package releases from the package manager. We will notify you when your team is using or wants to use outdated releases and help you uphold this standard.

What is considered outdated?

You can begin creating violations for outdated packages from the Catalog > Standards page and turning on the Up to date standard. Each organization is different so we allow you to specify what you consider outdated.

image (3).png

Let's use an example. Suppose you set a default that all releases should be no more than 1 year older than the latest release. 2.0.0 is the latest release, but your projects are still using releases 1.5.0 and 1.0.0. In the example, Tidelift will alert you to update where you're using version 1.0.0, but not 1.5.0.

Version Release Date Decision
2.0.0 1 Jan 2020 Allowed, latest release
1.5.0 1 Apr 2019 Allowed, < 1 year older than the latest release
1.0.0 1 Apr 2018 Not Allowed, > 1 year older than the latest release


How do I keep my team from using outdated releases?

You can begin creating violations for outdated releases from the Catalog > Standards page and turning on the Up to date standard.  

What happens if a package release in my catalog becomes outdated?

Tidelift is regularly monitoring all packages and will notify you if a package release that you are currently using becomes outdated by a newer release. A task will be generated for the catalog administrators to notify them about already-approved releases that violate this standard. For each package, the catalog administrators can resolve the violation by doing one of the following:

  • Creating an override for the outdated package release
  • Deny the specific release of the package and providing alternative releases to upgrade to

What happens when a newly requested package release is outdated?

If a developer requests a package release that Tidelift knows to be outdated, the catalog administrators reviewing the request will see that there is a standard violation. The catalog administrators can do any of the following:

  • Create an override for the package release and approve the release
  • Deny the release


Managing overrides

You may want to allow something that the up-to-date releases standard has not allowed. For example, it could be an legacy project inside your organization where there are no upgrades planned.

To do so, see Creating Overrides.

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.

Articles in this section

See more