Welcome to the April 2021 edition of the Tidelift product update, or Pupdate for short! 🐶 The Pupdate is a rundown of new features and enhancements in the Tidelift product, and there’s a picture of a dog at the end.
The Tidelift product team has been speaking directly with many organizations that use and love open source. A recurring need we hear is that teams want to make more informed decisions about the open source they are using. We have met teams that have tried manually reviewing and culling a list of packages, but the overhead of keeping it maintained has proved too much. This is one of the reasons we introduced catalogs—any organization can now use Tidelift to set up a catalog of approved open source packages. With Tidelift, teams are now making better decisions about open source and using our tooling to automate the hard parts.
Making more informed decisions and automating the process are themes that you will see across many of this month’s updates.
Only use actively maintained releases
The “Releases are actively maintained” standard is now available for all catalogs.
If a developer requests a deprecated package or if an already-approved package becomes deprecated, this will create a task for review. Teams can either reject the deprecated release or create an exception.
Read more in our docs article, or check out this amazing post on the current state of package invalidation by senior software engineer Tieg Zaharia.
Only use Tidelift-vetted releases
For organizations that want to put their catalog on autopilot and trust Tidelift’s guidance, a “Releases are approved by Tidelift” standard is now available in early access.
Tidelift is managing catalogs of our own. Your organization can choose for your catalog to be a full copy or subset of one of Tidelift’s catalogs. Exceptions can be created as needed, including for internal packages.
If you are interested in learning more about this feature, contact support@tidelift.com.
Project groups
Project groups can now be used to organize projects within Tidelift. Groups could represent different business units or different application areas, and users can also be added to groups.
Groups can be used to filter the catalog task list so that users only see tasks that are relevant to their group.
Read this docs article to learn more about the benefits of groups and how to set them up for your organization.
View dependency chains
Dependency chains can be used to inspect how any given package release was indirectly brought into a project by other packages.
Dependency chains can be inspected by a developer after a build fails, and can also be viewed from all bill of materials and package pages.
Dependency chains are now available for all Javascript (npm) and Java (maven) packages. Read more about how to see dependency chains in the docs article.
CLI enhancements
Finally, we have rolled out a slew of new functionality to Tidelift CLI that make it easier to automate new project set up and provide access to critical information:
- Projects and project keys can now be created via the CLI using tidelift projects new and tidelift projects new-key, respectively
- All approved, denied, and requested releases in a catalog can be viewed using tidelift releases list
- Security vulnerability information is now displayed for specific packages when using tidelift releases lookup
- API response headers and post bodies can now be viewed when using the --debug flag
If you’re just getting started, we published an updated guide on tracking projects and getting bills of materials using the CLI. Also see Tidelift CLI reference for complete documentation.
--
You have made it to this end of this month’s Pupdate, and it’s time to introduce you to one of the Tidelift pups. This is Moose enjoying a beautiful spring morning with his owner Margot. Margot is a business development representative at Tidelift—perhaps you’ve already had the chance to meet! Send Margot a chat message and maybe she’ll send you more pictures of Moose.