Using outdated package releases is a risk to your organization. Like deprecated packages, older releases are less likely to be patched. While the package itself may still be actively maintained, older releases usually have security vulnerabilities and other potentially harmful issues.
How can Tidelift help?
The longer your organization waits to update to a newer release, the harder it may become as more changes are made to the package. With the Tidelift Subscription, you can keep outdated package releases out of your organization's catalog by using the Up to date standard. Tidelift is regularly monitoring for package releases from the package manager. We will notify you when your team is using or wants to use outdated releases and help you uphold this standard.
What is considered outdated?
You can begin creating violations for outdated packages from the Catalog > Standards page and turning on the Up to date standard. Each organization is different so we allow you to specify what you consider outdated.
Let's use an example. Suppose you set a default that all releases should be no more than 1 year older than the latest release. 2.0.0 is the latest release, but your projects are still using releases 1.5.0 and 1.0.0. In the example, Tidelift will alert you to update where you're using version 1.0.0, but not 1.5.0.
| Version | Release Date | Decision |
| 2.0.0 | 1 Jan 2020 | Allowed, latest release |
| 1.5.0 | 1 Apr 2019 | Allowed, < 1 year older than the latest release |
| 1.0.0 | 1 Apr 2018 | Not Allowed, > 1 year older than the latest release |
How do I keep my team from using outdated releases?
You can begin creating violations for outdated releases from the Catalog > Standards page and turning on the Up to date standard.
What happens if a package release in my catalog becomes outdated?
Tidelift is regularly monitoring all packages and will notify you if a package release that you are currently using becomes outdated by a newer release. A task will be generated for the catalog administrators to notify them about already-approved releases that violate this standard. For each package, the catalog administrators can resolve the violation by doing one of the following:
- Creating an override for the outdated package release
- Deny the specific release of the package and providing alternative releases to upgrade to
What happens when a newly requested package release is outdated?
If a developer requests a package release that Tidelift knows to be outdated, the catalog administrators reviewing the request will see that there is a standard violation. The catalog administrators can do any of the following:
- Create an override for the package release and approve the release
- Deny the release
Creating overrides for outdated package releases (Not Recommended)
When a package release becomes outdated or a developer requests an outdated package release, you may still want to create an override for this package release to be approved in your catalog. Overrides can be created when completing a task and can apply to an entire package. You can view and export all outdated package overrides by:
- Going to Standards
- Find the Up to date standard
- Select Manage overrides on the right
- Click on Create new overrides and fill in the appropriate information
- Click Submit
Comments
Article is closed for comments.