Tidelift helps organizations remove risk to their revenue, data, and customers from bad open source packages. Bad packages (by which we mean bad-for-enterprise-use packages that are end-of-life, abandoned, or insecure) lead to more vulnerabilities, many of which are difficult to fix. This is making your application development team less productive, and creating more risk for your security team to manage.
Tidelift takes a unique, data driven approach to addressing the issue of bad packages. Tidelift partners with the maintainers of thousands of the most-relied-upon open source packages and pays them to implement industry-leading secure software development practices and document the practices they follow. The result is a unique source of cross-ecosystem package intelligence that customers use to identify and eliminate bad packages.
Today, Tidelift is excited to announce the availability of end-of-life package data to further customers’ ability to identify bad open source packages. End-of-life data is now being used in our evaluation of open source packages and is also available to our customers via our web UI and APIs.
An end-of-life package is one whose maintainers have declared that it is no longer maintained. In the case of a vulnerability or an attack, end-of-life packages do not receive updates or security patches, thus putting the burden of remediation entirely on users. End-of-life packages are highly risky and should not be used for application development.
Everyone scans for vulnerabilities. But what about the latent risk from packages that are officially no longer maintained, meaning future vulnerabilities will no longer be fixed. In many instances, organizations are often unaware of their dependence on end-of-life open source packages due to the challenges associated with gathering the relevant data.
Take Log4Shell as an example. Many organizations spent millions of dollars and hundreds of hours doing an emergency remediation of a critical vulnerability. But the original log4j package that was affected by the vulnerability had been declared end-of-life in 2015—six years before Log4Shell. Users who were aware of the end-of-life event and had already migrated to its replacement made a simple, small upgrade to remediate the vulnerability. Users who weren’t aware of the end-of-life had a major migration that required code changes in their applications, under extreme time pressure.
An end-of-life package will not be fixed if there is an issue. If a vulnerability is discovered, you will have to find a replacement and then possibly have to re-architect your application to use it. This isn’t something you want to do in an emergency. It's a severe technical risk that could create a time and resource-consuming emergency fire drill for your engineering team.
Regulatory authorities are noticing the risk associated with end-of-life software, and beginning to require that organizations track and report their usage. Examples include:
PCI-DSS certification
To comply with PCI-DSS requirements regarding end-of-life software, organizations must regularly monitor software, assess end-of-life related risk, implement mitigation by upgrading or replacing software to reduce risk, and maintain documentation of end-of-life software within their organization. Failure to remediate end-of-life software related risk in a timely manner can put PCI-DSS certification at risk.
Cybersecurity requirements for financial services companies
The state of New York has instituted new cybersecurity requirements for financial services companies that require companies to attest to the risk brought in by the cybersecurity practices of third parties, which includes open source software they depend on. In the event that open source software is end-of-life, that risk transfers to the company and needs to be tracked and accounted for. This directive took effect in April of 2024.
Cybersecurity in medical devices
The United States Food and Drug Administration implemented new cybersecurity requirements for medical devices in October 2023, and explicitly states that device manufacturers must, for all their software dependencies, include the software maintenance status, support status, and end-of-support date. These requirements do not distinguish between third-party commercial and open source dependencies.
These are just some examples, regulations such as these are likely to spread to other industries and other jurisdictions in the future. Not tracking the end-of-life state of the software you rely on opens your organization up to regulatory risk as well.
In order to minimize risk, organizations need to prioritize the work of migrating away from end-of-life open source packages. However, gathering data and identifying end-of-life packages is time consuming and challenging as there is no centralized source for this information.
Tidelift is addressing this area of need for organizations. Our data scientists comb a number of sources, including package manager data, foundation data, and package READMEs, and source repositories to collect this data. We’re expanding our open source package analysis by merging end-of-life data with existing information about deprecation, maintenance, and other secure development practices into a holistic recommendation that organizations use to eliminate entire categories of risky and bad open source packages from their environments.
Organizations use of end-of-life related data to eliminate bad packages by:
If you’re not tracking the end-of-life status of software that you use, you open up your organization to both technical risk from future vulnerabilities, and regulatory risk that would impact business initiatives.
Tidelift’s new end-of-life capabilities allow you to avoid bringing risky packages into your organization, plan initiatives to remove existing end-of-life packages, and detect when software is end-of-life. By undertaking these efforts, you remove entire categories of risk before it becomes a problem for your organization, and you can focus on the value that you were hired to provide.
Today we’re announcing the availability of package end-of-life data. We’re working on getting more granular and diving down to open source package version level end-of-life data, and gathering alternative packages that users can use instead. Keep checking this space as we’ll be making an announcement about version level information soon!
Contact us or read our documentation to learn more about how Tidelift can help you with end-of-life data and to eliminate bad open source packages.