Using outdated package releases is a risk to your organization. Similar to deprecated packages, older releases are less likely to be patched. While the package itself may still be actively maintained, the these older releases usually have security vulnerabilities and issues that are addressed in newer releases. The longer your organization waits to update to a newer release, the harder it may become as more changes are made to the package. With the Tidelift Subscription, you can keep out-dated package releases out of your organization's catalog by using the 'Releases are up to date' standard.
Tidelift is regularly monitoring for package releases from the package manager.
We will notify you when your team is using or wants to use outdated releases and help you uphold this standard.
What is considered outdated?
You can begin creating violations for outdated packages from the Catalog > Standards page and turning on the "Releases are up to date" standard. Each organization is different so we allow you to specify what you consider outdated.
Let's use an example. Suppose you set a default that all releases should be no more than 1 year older than the latest release. 2.0.0 is the latest release, but your projects are still using releases 1.5.0 and 1.0.0. In the example, Tidelift will alert you to update where you're using version 1.0.0, but not 1.5.0.
|2.0.0||1 Jan 2020||Allowed, latest release|
|1.5.0||1 Apr 2019||Allowed, < 1 year older than the latest release|
|1.0.0||1 Apr 2018||Not Allowed, > 1 year older than the latest release|
How do I keep my team from using outdated releases?
You can begin creating violations for outdated releases from the Catalog > Standards page and turning on the "Releases are up to date" standard.
What happens if a package release in my catalog becomes outdated?
Tidelift is regularly monitoring all packages and will notify you if a package release that you are currently using becomes outdated by a newer release. A task will be generated for the catalog administrators to notify them about already-approved releases that violate this standard. For each package, the catalog administrators can resolve the violation by doing one of the following:
- Creating an exception for the outdated package release
- Deny the specific release of the package and providing alternative releases to upgrade to
What happens when a newly requested package release is outdated?
If a developer requests a package release that Tidelift knows to be outdated, the catalog administrators reviewing the request will see that there is a standard violation. The catalog administrators can do any of the following:
- Create an exception for the package release and approve the release
- Deny the release
Creating exceptions for outdated package releases (Not Recommended)
When a package release becomes outdated or a developer requests an outdated package release, you may still want to create an exception for this package release to be approved in your catalog.
Exceptions can be created when completing a task and can apply to an entire package. You can view and export all outdated package exceptions by going to Standards and clicking on 'create an exception' under the 'Releases are up to date' standard.