Intro to managed open source p. 1 of 6: keeping your open source components secure

Jeff Stern
by Jeff Stern
on December 4, 2019

Over the next few weeks I’ll be highlighting each of the key features of the Tidelift Subscription in a series of blog posts. Today in part one I cover how to get security updates for your open source dependencies via the Tidelift Subscription. And if you’d like to start with a more complete view of how the Tidelift Subscription works, take a tour here.

Security updates are a key benefit of the Tidelift managed open source subscription. For each of your repositories, you can view a list of any packages you're using that have known vulnerabilities.

If you aren’t securing your open source dependencies yet, you can get started with a free trial of the Tidelift Subscription.

We will always provide you with a recommendation on how to proceed, usually by upgrading to a recommended version. In instances where no fix is either available or compatible with your stack, we can work directly with the upstream maintainers to resolve the issue for you. Curious what this looks like in your own repo? You can activate your free trial now.

image (1)
Straightforward, actionable steps to improve the security of your project

We also want to help you prevent vulnerable packages from ever entering your build. We help you do this by allowing you to set up an open source policy. The open source policy, which integrates neatly into your existing CI/CD workflow, acts as a gatekeeper for all of your open source dependencies, rejecting builds with versions that include a known vulnerability.

Tidelift’s default policy is set to fail all PRs that bring in new issues that didn’t already exist on master. We also give you full control over how strict you want your policy to be. For example, when getting started you may prefer to simply create warnings for new security vulnerabilities to more easily transition to using a new tool.

imafe2
You have complete control over your organization’s open source policy.

Are you currently using any packages with known security vulnerabilities? Take action today by upgrading them to the recommended release managed as part of the Tidelift Subscription. You can also set up your policy so you become instantly aware of future issues.

Click me